From rforno at infowarrior.org Fri Jun 1 02:44:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 31 May 2007 22:44:39 -0400 Subject: [Infowarrior] - CSO -- Antiforensics tools Message-ID: From: www.cio.com How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab ? Scott Berinato, CSO May 31, 2007 http://www.cio.com/article/print/114550 Forensic investigations start at the end. Think of it: You wouldn?t start using science and technology to establish facts (that?s the dictionary definition of forensics) unless you had some reason to establish facts in the first place. But by that time, the crime has already happened. So while requisite, forensics is ultimately unrewarding. A clear illustration of this fact comes from the field investigations manager for a major credit services company. Sometime last year, he noticed a clutch of fraudulent purchases on cards that all traced back to the same aquarium. He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio file while eating a sandwich on her lunch break. He learned that when she played the song, a rootkit hidden inside the song installed itself on her computer. That rootkit allowed the hacker who?d planted it to establish a secure tunnel so he could work undetected and ?get root??administrator?s access to the aquarium network. Sounds like a successful investigation. But the investigator was underwhelmed by the results. Why? Because he hadn?t caught the perpetrator and he knew he never would. What?s worse, that lunch break with the sandwich and the song download had occurred some time before he got there. In fact, the hacker had captured every card transaction at the aquarium for two years. The investigator (who could only speak anonymously) wonders aloud what other networks are right now being controlled by criminal enterprises whose presence is entirely concealed. Computer crime has shifted from a game of disruption to one of access. The hacker?s focus has shifted too, from developing destructive payloads to circumventing detection. Now, for every tool forensic investigators have come to rely on to discover and prosecute electronic crimes, criminals have a corresponding tool to baffle the investigation. This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you. The concept is neither new nor foolproof, but in the past 12 months, forensic investigators have noticed a significant uptick in the use of antiforensics. This is not because hackers are making more sophisticated antiforensic tools, though some are. Rather, it?s because antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. What?s more, this transition is taking place right when (or perhaps because of) a growing number of criminals, technically unsophisticated, want in on all the cash moving around online and they need antiforensics to protect their illicit enterprises. ?Five years ago, you could count on one hand the number of people who could do a lot of these things,? says the investigator. ?Now it?s hobby level.? Researcher Bryan Sartin of Cybertrust says antiforensic tools have gotten so easy to use that recently he?s noticed the hacks themselves are barely disguised. ?I can pick up a network diagram and see where the breach occurred in a second,? says Sartin. ?That?s the boring part of my job now. They?ll use FTP and they don?t care if it logs the transfer, because they know I have no idea who they are or how they got there.? Veteran forensic investigator Paul Henry, who works for a vendor called Secure Computing, says, ?We?ve got ourselves in a bit of a fix. From a purely forensic standpoint, it?s real ugly out there.? Vincent Liu, partner at Stach & Liu, has developed antiforensic tools. But he stopped because ?the evidence exists that we can?t rely on forensic tools anymore. It was no longer necessary to drive the point home. There was no point rubbing salt in the wound,? he says. The investigator in the aquarium case says, ?Antiforensics are part of my everyday life now.? As this article is being written, details of the TJX breach?called the biggest data heist in history, with more than 45 million credit card records compromised?strongly suggest that the criminals used antiforensics to maintain undetected access to the systems for months or years and capture data in real time. In fact, the TJX case, from the sparse details made public, sounds remarkably like the aquarium case on a massive scale. Several experts said it would be surprising if antiforensics weren?t used. ?Who knows how many databases containing how many millions of identities are out there being compromised?? asks the investigator. ?That is the unspoken nightmare.? The Obfuscator?s Toolkit If you were making a movie about a computer crime, the bad guys would use antiforensics. And since it?s a movie, it should be exciting, so they?d use the clever and illicit antiforensic tools, the sexy ones with little or no legitimate business purpose. Liu has developed such tools under the Metasploit Framework, a collection of software designed for penetration testing and, in the case of the antiforensic tools, to expose the inherent weaknesses in forensics in hopes that the forensics industry would view it as a call to action to improve its toolset. One of Liu?s tools is Timestomp. It targets the core of many forensic investigations?the metadata that logs file information including the times and dates of file creation, modification and access. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified. Transmogrify is similarly wise to the standard procedures of forensic investigators. It allows the attacker to change information in the header of a file, a space normally invisible to the user. Typically, if you changed the extension of a file from, say, .jpg to .doc, the header would still call it a .jpg file and header analysis would raise a red flag that someone had messed with the file. Transmogrify alters the header along with the file extension so that the analysis raises no red flags. The forensic tools see something that always was and remains a .doc file. Slacker would probably be in the movie too. It breaks up a file and stashes the pieces in the slack space left at the end of files. Imagine you stole the Dead Sea Scrolls, ripped them into thousands of small pieces, and then tucked those pieces, individually, into the backs of books. That?s Slacker, only Slacker is better because you can reassemble the data and, while hidden, the data is so diffuse that it looks like random noise to forensic tools, not the text file containing thousands of credit card numbers that it actually is. Another tool, Sam Juicer, retrieves encrypted passwords but leaves behind no evidence it was ever run, allowing you to crack the passwords later offline. KY stuffs data into null directory entries, which will still look null to the outside world. Data Mule infiltrates hard disk drives? normally off-limits reserved space. Randomizers auto-generate random file names to evade signature-based inspection. There are tools that replace Roman letters with identical-looking Cyrillic ones to avoid suspicion and inspection. In other words, you need explorer.exe to run your computer, but you don?t need explorer.exe, which looks the same but actually starts with a Cyrillic ?e? and is a keylogger. If you want to go full-out cloak-and-dagger in your movie, you?d show off antiforensic tools that have gone solid-state. Diskless A-F is the state of the art; it avoids logging of activity all together. ?There?s nothing on the disk that can?t be messed with,? says Liu. ?So the arms race has left the disk and is moving into memory. Memory is volatile storage. It?s a lot more difficult to understand what?s going on in there. Disk layout is documented; you know where to look for stuff. In memory, stuff moves around; you can?t track it down.? MosDef is one example of diskless antiforensics. It executes code in memory. Many rootkits now load into memory; some use the large stockpiles of memory found on graphics cards. Linux servers have become a favorite home for memory- resident rootkits because they?re so reliable. Rebooting a computer resets its memory. When you don?t have to reboot, you don?t clear the memory out, so whatever is there stays there, undetected. ?You?ve got 128 megs of RAM in network printers that are never shut off!? exclaims Michael Davis, CEO of incident response company Savid Technologies and a veteran security researcher who worked on the Honeynet Project. ?It?s an old technique, but a common one.? Antiforensics Tools That Appear Legitimate on Frist Blush Perhaps less sexy?but just as problematic to the forensic investigator?are antiforensic tools that fall into a gray middle on the spectrum of legitimacy. These include tools like packers, which pack executable files into other files. In the aquarium case, the criminal most likely used a packer to attach his rootkit to the audio file. Binders bind two executables into one, an especially dangerous tool when one of the executables is legitimate. I might have no concern clicking on firefox.exe, for example, but it could very well be bound to keylogger.exe. Virtualization is a popular trend in IT now, because it allows one machine to run many environments. Hackers simply apply the principle to their jobs; one of the virtual environments borrowing the hardware becomes theirs. Steganography?hiding data in other data?has legitimate uses for the privacy conscious, but then criminals breaking into systems are privacy conscious too. A great way to transport data you?re not supposed to have is to hide it where it will generate no suspicion, like in photos of executives that the marketing department keeps on the network. (Disagreement reigns over the prevalence of steganography as an antiforensic technique in practice; no one disputes its capabilities or increasing ease of use, though). Disk wiping systems are valuable for refreshing and decommissioning hard disks on machines, and boosting performance. But they also serve the criminal who needs to erase his digital tracks. Some data wiping programs have been tuned to thwart the specific programs that criminals know are popular with forensic investigators, like EnCase, and they are marketed that way. The most prosaic antiforensic tools are also the most common. Security software like encryption and VPN tunneling serve as foundations of the criminal hacker?s work once he?s infiltrated a system. ?In one case, we found a large retail database that was compromised,? says Sartin. ?And the first thing the hackers did when they got there was install a client VPN,? and at that point, they became virtually invisible. Another classic antiforensic technique is to partition a hard drive and encrypt one section of it, then partition that partition and encrypt a subsection of that. ?Any data in that second partition I can deny ever existed,? says Henry. ?Then the bad guy who is caught gives up the password or key for the first partition, which typically contains only moderately bad stuff. The really bad stuff is in the second partition, but the investigators have no clue it?s there. Forensic tools wouldn?t see the second partition; it would look like random trash.? These techniques are not sexy?they might not make it into the movie?but in some ways they?re actually the most problematic antiforensic tools, because there are excellent reasons to continually improve encryption, secure remote access, disk partitioning and virtual environments. Better encryption stands to protect data and privacy. Secure tunnels make remote business over the Internet feasible. Virtualization is an efficiency boon. And yet, improving these products also happens to improve the criminal?s antiforensic toolkit in lockstep. This list is only a sample of the tools used for antiforensics. Many others do clever things, like block reverse engineering of code or purposefully leave behind misleading evidence to send forensic investigators down the wrong path, wasting their time and money. Taken at its most broad, antiforensics even extends to physical techniques, like degaussing hard drives or taking a sledgehammer to one. The portfolio of techniques available, for free or for a low cost, is overwhelming. An antiforensic pioneer and hacker who calls himself the Grugq (sounds like ?grug?) says he once presented this kind of primer on antiforensics to the police?s largest computer forensics unit in London. ?It was packed with all these mean-looking coppers,? he recalls. ?And here I am, this computer security guy saying, ?You?re all [screwed] and there?s nothing you can do about it.? When I finished, it was quiet. Only one person raised his hand. Scary geezer. Six-two, shaved head. Tattoos all over his arms. I thought he might thump me. ?But he stood up and looked like he was about to cry. All he said was, ?Why are you doing this??? Why Are They Developing Antiforensic Tools? As long as five years ago, Grugq was creating antiforensic tools. Data Mule is one in his package that he calls the Defiler?s Toolkit. Likewise, Liu developed Timestomp, Slacker and other tools for the Metasploit Framework. In fact, a good portion of the antiforensic tools in circulation come from noncriminal sources, like Grugq and Liu and plain old commercial product vendors. It?s fair to ask them, as the overwhelmed cop in London did, why develop and distribute software that?s so effective for criminals? Grugq?s answer: ?If I didn?t, someone else would. I am at least pretty clean in that I don?t work for criminals, and I don?t break into computers. So when I create something, it only benefits me to get publicity. I release it, and that should encourage the forensics community to get better. I am thinking, Let?s fix it, because I know that other people will work this out who aren?t as nice as me. Only, it doesn?t work that way. The forensics community is unresponsive for whatever reason. As far as that forensic officer [in London] was concerned, my talk began and ended with the problem.? Antiforensics Tools Reveal Vulnerabilities in Computer Forensics Tools Liu agrees but takes it further. He believes developing antiforensics is nothing less than whistle-blowing. ?Is it responsible to make these tools available? That?s a valid question,? he says. ?But forensic people don?t know how good or bad their tools are, and they?re going to court based on evidence gathered with those tools. You should test the validity of the tools you?re using before you go to court. That?s what we?ve done, and guess what? These tools can be fooled. We?ve proven that.? For any case that relies on digital forensic evidence, Liu says, ?It would be a cakewalk to come in and blow the case up. I can take any machine and make it look guilty, or not guilty. Whatever I want.? Liu?s goal is no less than to upend a legal precedent called the presumption of reliability. In a paper that appeared in the Journal of Digital Forensic Practice, Liu and coauthor Eric Van Buskirk flout the U.S. courts? faith in digital forensic evidence. Liu and Van Buskirk cite a litany of cases that established, as one judge put it, computer records? ?prima facie aura of reliability.? One decision even said computer records were ?uniquely reliable in that they were computer-generated rather than the result of human entries.? Liu and Van Buskirk take exception. The ?unfortunate truth? they conclude, is that the presumption of reliability is ?unjustified? and the justice system is ?not sufficiently skeptical of that which is offered up as proof.? It?s nearly a declaration that, when it comes to digital information, there?s no such thing as truth. Legally anyway. As Henry likes to put it, ?Antiforensic tools have rendered file systems as no longer being an accurate log of malicious system activity.? Computer forensics in some ways is storytelling. After cordoning off the crime scene by imaging the hard drive, the investigator strings together circumstantial evidence left at the scene, and shapes it into a convincing story about who likely accessed and modified files and where and when they probably did it. Antiforensics, Liu argues, unravels that narrative. Evidence becomes so circumstantial, so difficult to have confidence in, that it?s useless. ?The classic problem already with electronic crimes has been, How do you put the person you think committed a crime behind the guilty machine they used to commit the crime?? says Brian Carrier, another forensic researcher, who has worked for the Cerias infosecurity research program at Purdue University. Upending the presumption of reliability, he says, presents a more basic problem: How do you prove that machine is really guilty in the first place? ?I?m surprised it hasn?t happened yet,? says Liu. ?But it will.? Under the current computing infrastructure, data is untrustworthy, then. The implications of this, of courts limiting or flat-out denying digital forensics as reliable evidence, can?t be understated. Without the presumption of reliability, prosecution becomes a more severe challenge and thus, a less appealing option. Criminals reasonably skilled with antiforensics would operate with a kind of de facto legal immunity. Making It Not Worth It Despite all that, casting doubt over evidence is just a secondary benefit of antiforensics for criminals. Usually cases will never get to the legal phase because antiforensics makes investigations a bad business decision. This is the primary function of antiforensics: Make investigations an exercise in throwing good money after bad. It becomes so costly and time-consuming to figure out what happened, with an increasingly limited chance that figuring it out will be legally useful, that companies abandon investigations and write off their losses. ?Business leaders start to say, ?I can?t be paying $400 an hour for forensics that aren?t going to get me anything in return,?? says Liu. ?The attackers know this. They contaminate the scene so badly you?d have to spend unbelievable money to unravel it. They make giving up the smartest business decision.? ?You get to a point of diminishing returns,? says Sartin. ?It takes time to figure it out and apply countermeasures. And time is money. At this point, it?s not worth spending more money to understand these attacks conclusively.? One rule hackers used to go by, says Grugq, was the 17-hour rule. ?Police officers [in London?s forensics unit] had two days to examine a computer. So your attack didn?t have to be perfect. It just had to take more than two eight-hour working days for someone to figure out. That was like an unwritten rule. They only had those 16 hours to work on it. So if you made it take 17 hours to figure out, you win.? Since then, Grugq says, law enforcement has built up 18-month backlogs on systems to investigate, giving them even less time per machine. ?Time and again I?ve seen it,? says Liu. ?They start down a rat hole with an investigation and find themselves saying, ?This makes no sense. We?re not running a business to do an investigation.? I?ve seen it at Fortune 100s. The company says, ?We think we know what they got and where. Let?s close it up.? Because they know that for every forensic technique they have, there?s an antiforensic answer. Unfortunately, the converse isn?t true.? The Rise of Antiforensics Tools Will Force Computer Investigators to Change By now, it should be clear why Henry of Secure Computing has been giving a presentation called ?Anti-Forensics: Considering a Career in Computer Forensics? Don?t Quit Your Day Job.? The state of forensics certainly sounds hopeless, and Henry himself says, ?The forensics community, there?s not a hell of a lot they can do.? But in fact there?s some hope. Carrier says, ?Yes, it makes things a lot harder, but I don?t think it?s the end of the world by any means.? What can start to turn the tables on the bad guys, say these experts and others, is if investigators embrace a necessary shift in thinking. They must end the cat-and-mouse game of hack-defend-hack-defend. Defeating antiforensics with forensics is impossible. Investigations, instead, must downplay the role of technology and broaden their focus on physical investigation processes and techniques: intelligence, human interviews and interrogations, physical investigations of suspects? premises, tapping phones, getting friends of suspects to roll over on them, planting keyloggers on suspects? computers. There are any number of ways to infiltrate the criminal world and gather evidence. In fact, one of the reasons for the success of antiforensics has been the limited and unimaginative approach computer forensic professionals take to gathering evidence. They rely on the technology, on the hard disk image and the data dump. But when evidence is gathered in such predictable, automated ways, it?s easy for a criminal to defeat that. ?I go back to my background as a homicide detective,? says the investigator in the aquarium case. ?In a murder investigation, there is no second place. You have to win. So you come at it from every angle possible. You think of every way to get to where you want to go. Maybe we can?t find the source on the network with a scanning tool. So you hit the street. Find a boss. His boss. His boss. You find the guy selling data on the black market. The guy marketing it on [Internet Relay Chat]. You talk to them. They?re using stego? Maybe we drop some stego on them. The techniques used in physical investigations are becoming increasingly important.? Indeed, if one looks back on some of the major computer crimes in which suspects were caught, one will notice that rarely was it the digital evidence that led to their capture. In the case of Jeffrey Goodin of California, the first ever under the Can-Spam Act, it was a recorded phone call with a friend who had flipped on the suspect that led to the conviction. In the case of the Russian botnet operators who had extorted millions from gaming sites, it was an undercover operation in which a ?white hat? hacker befriended the criminals. In the United Kingdom, says Grugq, the police are using social modeling to try to penetrate antiforensics used on mobile phones for drug dealing. ?The police?s goal is to get a confession,? he says. ?They don?t care if they have compelling evidence off the disk.? In the TJX case, the only arrests made to date are based on purchases of exorbitant gift cards at the company?s retail stores, caught on tape. It will be the interviews with those people, and not system analysis, that will lead to more information and, potentially, more arrests in the case. ?Every successful forensics case I?ve worked on turned into a physical security investigation,? says Bill Pennington, a researcher at White Hat Security and veteran technical forensics investigator. ?In one case, it was an interview with someone who turned on someone else. You layer the evidence. Build it up. He sees the writing on the wall, and he cracks. But if we had to rely on what the computer evidence told us, we would have been stuck.? Moving Targets Behind the portfolio of easy-to-use Windows-based antiforensic tools, criminal hackers are building up a next-generation arsenal of sophisticated technical tools that impress even veterans like Grugq. ?There are now direct attacks against forensic tools,? he says. ?You can rootkit the analysis tool and tell it what not to see, and then store all your evil stuff in that area you told the analysis tool to ignore. It is not trivial to do, but finding the flaw in the analysis tool to exploit is trivial.? Another new technique involves scrambling packets to avoid finding data?s point of origin. The old-school way of avoiding detection was to build up a dozen or so ?hop points? around the world?servers you bounced your traffic off of that confounded investigations because of the international nature of the traffic and because it was just difficult to determine where the traffic came from, really. The state-of-the-art antiforensic technique is to scramble the packets of data themselves instead of the path. If you have a database of credit card information, you can divvy it up and send each set of packets along a different route and then reassemble the scatterlings at the destination point?sort of like a stage direction in a play for all the actors to go wherever as long as they end up on their mark. The aquarium attack, two years later, already bears tinges of computer crime antiquity. It was clever but today is hardly state of the art. Someday, the TJX case will be considered ordinary, a quaint precursor to an age of rampant electronic crime, run by well-organized syndicates and driven by easy-to-use, widely available antiforensic tools. Grugq?s hacking mentor once said it?s how you behave once you have root access that?s interesting. In a sense, that goes for the good guys too. They?ve got root now. How are they going to behave? What are they going to do with it? ?We?ve got smarter good guys than bad guys right now,? says Savid Technologies? Davis. ?But I?m not sure how long that will be the case. If we don?t start dealing with this, we?re not even going to realize when we get hit. If we?re this quiet community, not wanting to talk about it, we?re going to get slammed.? Send feedback to Senior Editor Scott Berinato at sberinato at cxo.com 2002-2007 CXO Media Inc. All rights reserved. Reproduction in whole or in part without permission is prohibited. From rforno at infowarrior.org Fri Jun 1 13:26:48 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 01 Jun 2007 09:26:48 -0400 Subject: [Infowarrior] - A Big Ball of Connectivity Message-ID: http://www.popsci.com/popsci/technology/8d81e8ee82c82110vgnvcm1000004eecbccd rcrd.html Name: GATR-Com Inventor: Paul Gierow Cost to Develop: $1.5 million Time: 5 years Prototype | | | | | Product No, it's not a giant beach ball. It's an ultralight, ultraportable antenna tucked inside an inflatable shell that can pull down a superfast broadband satellite connection at any location. The GATR-Com is designed for disaster-relief responders, far-flung video producers and front-line troops?anyone whose job (or life) depends on getting digital information?video, Internet, calls?in and out of remote places. "You just can't do effective disaster relief without decent satellite communications," says Eric Rasmussen, a U.S. Navy physician and commander whose relief experience includes the Indonesian tsunami of 2004 and the aftermath of battles in Bosnia and Iraq. "But when the mud is two feet deep, if you can't pack a dish on your back or drop it out of a plane, it's not going to get there." The GATR-Com (an acronym for "ground antenna transmit and receive") system, complete with electronics and tethering gear, weighs less than 70 pounds and fits easily into two backpacks. It can be powered by a car's cigarette lighter or a small generator. There's nothing else like it that's this small or rugged. The GATR-Com is the brainchild of engineer Paul Gierow, who spent 20 years developing large deployable space antennas for NASA. Gierow realized that the need for a highly portable antenna is just as relevant on Earth as it is in space?especially considering the earthly inevitabilities of gravity, mud and sky-high air-freight costs. The antenna is made of a flexible, high-strength plastic lined with conductive mesh inside a large (six- or eight-foot) sphere constructed of a material similar to that used for racing sails. A valve from a small compressor directs slightly more air pressure to one side of the antenna, giving it a parabolic shape. At first, Gierow and his business partner, William R. Clayton, worried that an inflatable sphere might just blow away. But the GATR-Com's spherical shape actually deflects air twice as efficiently as rigid disks do and protects the internal antenna's shape from being distorted by gusts. "The idea itself is actually fairly simple," Gierow says. "The trick was to come up with a way to tie it down, target it [to a satellite] to one tenth of a degree, and keep it stable." Backed by research grants from the Air Force and Darpa, the Pentagon's R&D branch, Gierow refined his invention for nearly three years before he got up the nerve to quit his job as vice president of NASA contractor SRS Technologies and bet his livelihood on his creation. The next day, Hurricane Katrina gave him a perfect opportunity to prove the device worked in the real world. Gierow drove from where he lives near Decatur, Alabama, to Biloxi, Mississippi, and set up his prototype at a Red Cross shelter. For two weeks, the system served as an electronic lifeline to the outside world. "One lady had just had an organ transplant, and she didn't have her anti-rejection medication," Gierow recalls. "We were able to get in touch with a pharmacist [about four hours north of Biloxi], and he drove it to us." Gierow's improvised effort caught the attention of the organizers of Strong Angel III, a disaster-relief simulation led by Rasmussen. Held last August in San Diego, the six-day event brought together teams from the Pentagon, relief agencies and high-tech companies. The mission: to field-test new technologies and tools that could be used to respond to natural disasters, epidemics or terrorist attacks. "They were the only ones who walked in carrying their gear," Rasmussen says of Gierow's team. "At first look, the device incited snickers. But they pulled it out of the backpack, inflated it, and tethered it?and in 15 minutes, we had a rock-solid satellite signal. This is a technology that could give us a huge increase in our capabilities." The GATR-Com's $50,000 price tag makes it an unlikely accessory for most solo travelers. But its cost is far less than that of other remote-deployable satellite antennas, not to mention the savings it provides in transportation costs. With inquiries from a wide range of potential clients, Gierow regularly puts in 70-hour workweeks in his warehouse office/lab. But last summer he managed to take a week off to bring his family to the beach. Not surprisingly, the antenna came too. "I was the nerd on the beach with the really big ball," Gierow says, "and the T1 connection." From rforno at infowarrior.org Sat Jun 2 12:29:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 02 Jun 2007 08:29:02 -0400 Subject: [Infowarrior] - New patron-pager for moviegoers Message-ID: (what's next, citizens' arrests for popcorn-throwing?? -rf) http://www.boingboing.net/2007/06/01/silly_gadget_for_rep.html Silly gadget for reporting bad picture, sound, and piracy at the movies "Link goes to a news report on the 'Regal Guest Response System', a pager system given to a random patron in 114 US cinemas (here's the media release). The patron's device has four buttons on it: 1. Sound 2. Picture 3. Piracy 4. Other disturbance "When they press the button, a staff member is alerted and responds accordingly. Presumably #3 sends a call directly to the MPAA bat phone. "That's hilarious corporation-oriented design, eh? Surely the moviegoer's number one complaint is noisy neighbours, and yet it's bundled under 'other disturbance'. Where?s my button for ?the guy next to me reeks? or ?I paid $11 for this jackalope turd??" Link From rforno at infowarrior.org Sun Jun 3 03:09:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 02 Jun 2007 23:09:05 -0400 Subject: [Infowarrior] - DHS: beware stink-bomb touting terrorists Message-ID: Original URL: http://www.theregister.co.uk/2007/06/02/dhs_dud_interesting_chemicals/ DHS: beware stink-bomb touting terrorists By George Smith, Dick Destiny Published Saturday 2nd June 2007 04:12 GMT Unusual paranoia over chemical attack in the US takes many forms. It can be seen in a recent piece of trouble from the Department of Homeland Security, a long list of "chemicals of interest" it wishes to require all university settings to inventory. "Academic institutions across the country claim they will have to spend countless hours and scarce resources on documenting very small amounts of chemicals in many different labs that are scattered across sometimes sprawling campuses," reported a recent Chemical & Engineering News, the publication of the American Chemical Society. "For 104 chemicals on the list, the threshold is 'any amount.'" An update to address university workload concerns is said to be scheduled for "early to mid-June." However, before that happens, let's take a peek at the list. If one has a little bit of background in chemical weapons synthesis, one can see DHS is possessed by the idea that terrorists might storm into universities and plunder chem labs for precursors to nerve gases. Isopropyl methyl phosphonochloridate is to be inventoried in any amount. Although not specified, it is one potential ingredient on the road to sarin synthesis. Zooming in on the list for its specific entry, a quick look up and down a few rungs shows a cluster of similar compounds, all of which are earmarked at "any amount" for the same reasons. While some of it seems OK, there is some interior nagging that this is not entirely the case. The combination of unusual organic precursors into nerve gases, for instance, is not nearly as easy to do as is generally thought by counter-terror experts. Triethanolamine, also flagged at "any amount," can be used to produce mustard gas. However, it's also used commercially in detergents and many other products. Bad air day Nitric oxide, by way of another example, is of interest to DHS in "any amount." In the simple reaction caused by tossing a penny into a beaker of nitric acid, nitric oxide is formed and immediately combines with atmospheric oxygen to form the toxic red brown gas, nitrogen dioxide. The inclusion of it is simply a head scratcher since the particular activity doesn't really lend itself to the making of a terror weapon. It's more appropriately thought of as a compound that contributes to smog formation. Similarly earmarked is sulfur dioxide, the gas resulting when sulfur is burned. Air pollution, as far as is known, isn't useful to terrorists. Another compound in the "any amount" catch all is hydrogen sulfide, the toxic gas that smells like rotten eggs. Functionally, generating "any amounts" of hydrogen sulfide has always been part of an education in chemistry. Believe it or not, there was a time when generation of it was included as a spark to an interest in chemistry in children's store bought chemistry sets. However, in the past fifteen years we've had the pleasure of publication of a number of poisons for ninnies books, among them Maxwell Hutchkinson's "The Poisoner's Handbook," published by Loompanics in 1988. Much of Hutchkinson was subsequently plagiarized into jihadist documents on chemical terror, among these being Abdel-Aziz's Mujahideen Poisons Handbook, which if found during terror investigations functionally works toward ensuring a stay in the dungeon for owners. The Mujahideen Poisons Handbook contains an old hydrogen sulfide producing experiment. "It is very dangerous," its author states, not particularly accurately. "It can kill a person in thirty seconds." Instead of meditating on the naivet? of the uneducated man who has never had a chemistry set, since 9/11 we have instead been plagued by terror assessors who are not chemists, mucking with regulation through the offices of DHS's science directorate. To make the weirdness of this clear, hydrogen sulfide - like almost everything in the Mujahideen Poisons Handbook, goes back to the materials in The Poisoner's Handbook. "The manufacture of hydrogen sulfide is [simple]," writes Hutchkinson. "It is created by water coming into contact with phosphorus pentasulfide." This is actually true, unlike many things in terrorist poison handbooks. On the DHS list, phosphorus pentasulfide is only of interest if a university has a ton of it. Hydrogen sulfide, any amount. Phosphorus pentasulfide, one ton. Looking for logic becomes like trying to pick up spilled mercury. While the American Chemical Society and universities would not be expected to know any of this, it does noticeably impact policy. On a FEMA (FEMA being part of DHS) website, for instance, we read "Terrorists Planned Deadly Gas Attack On Western Targets." The standard woeful chemical terror document is cited, although not by name. Hydrogen sulfide, cyanide and narcotics are mentioned. These clues inform that the terrorist document is another child of Hutchkinson. Of special note is the box out quote -"30 ml of the agent can kill 60 million people" which addresses the Islamist terror biochemist's fascination with the toxin that produces botulism. Jihadists, it has been found, have no idea how to make the toxin. They just like the idea of something that deadly and because the translators of Hutchkinson have said it is easy to do by throwing meat, excrement and dirt in a can, it is almost everywhere in their literature. Of course, it's just a question of time before terrorists gain the capability to attack with such things, it is written. Although it wouldn't be clear to the heads of university chemistry departments and other organizations affected by the DHS "chemicals of interest" list, it is somewhat obvious to this writer that the agency's regulations are strongly influenced by people who believe the literature of Hutchkinson and others, translated into Arabic, to be an actual threat. The practical end result has been bad and universities have issued a loud protest over the list. For instance, IPC, a trade organization of the electronics industries writes in a letter that the DHS list is "inadequately defined," a rather gentlemanly way of putting it. In another memo of comment, the ACS also notes the DHS requirement will be "impossible to implement in laboratories" and it will "conflict with the education and research mission of institutions." The ACS memo cites a few onerous examples from the DHS document, hydrogen sulfide being one of them. How this will sort out in the next weeks remains to be seen. Initial bets would be on academic science brushing back the Department of Homeland Security.? George Smith is a Senior Fellow at GlobalSecurity.org, a defense affairs think tank and public information group. At Dick Destiny (http://www.dickdestiny.com/blog/dickdestiny.html), he blogs his way through chemical, biological and nuclear terror hysteria, often by way of the contents of neighborhood hardware stores. From rforno at infowarrior.org Sun Jun 3 03:15:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 02 Jun 2007 23:15:56 -0400 Subject: [Infowarrior] - China plans military hotline with US In-Reply-To: Message-ID: Who says the Cold War ended? And, I hope they don't use VOIP here......-rf China plans military hotline with US (Reuters/Xinhua) Updated: 2007-06-03 08:44 http://www.chinadaily.com.cn/china/2007-06/03/content_885935.htm SINGAPORE - China and the United States plan to set up a defense hotline, one of Beijing's top generals said on Saturday, a move aimed at improving bilateral military relations. Zhang Qinsheng, deputy chief of the general staff of the People's Liberation Army, made the remarks while speaking at the plenary session of the three-day security summit, also known as the Shangri-La Dialogue, after the name of the Singapore hotel at which the event has been held since its launch in 2002. He said the issue of a hotline between the Chinese military and the US Defense Department would be settled when he visited the United States in September. "We will finalize the establishment of the hotline," said Major General Zhang, speaking through an interpreter at an Asian security conference in Singapore. "We are prepared that in September this year during the ninth Sino-US defense talks, we are going to settle the issue." Zhang also told the Summit that China's defense budget is true and authentic. As the level of Chinese military modernization gradually rises, some raise the question of "military transparency", and voice their suspicion over China's defense budget, so it is necessary to briefly clarify the matter, Zhang said. "In China, defense budgeting must follow a set of highly strict legal procedures, and the published Chinese defense budget is true and authentic," he said. He added that the increased proportion of the defense budget is mostly used to make up the retail price rise, improve welfare of the military personnel, and for better logistic support. "Given the multiple security threats, geo-political environment, the size of the territory, and the per-capita expense, the Chinese defense expenditure is small by all judgments," he added. Regarding "military transparency", Zhang noted that due to differences in history, culture, social system and ideology, countries naturally disagree on what "transparency" means and how to achieve it. "The rise of a country's military power is a dynamic process full of changeable factors. It is difficult to be evaluated precisely," he said, adding that "Therefore, it takes time to achieve transparency." He stressed that "China is gradually making progress in military transparency, in light of the principles of trust, responsibility, security and equality." The annual Shangri-La Dialogue, organized by the London-based International Institute for Strategic Studies, opened on Friday. It gathered defense ministers and top officials from 26 countries and regions in the Asia-Pacific region and Europe to address major regional security issues and defense cooperation. From rforno at infowarrior.org Sun Jun 3 15:20:29 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 03 Jun 2007 11:20:29 -0400 Subject: [Infowarrior] - Zero-day sales not 'fair' - to researchers Message-ID: Original URL: http://www.theregister.co.uk/2007/06/03/market_value_of_software_security_vu lnerabilites/ Zero-day sales not 'fair' - to researchers By Robert Lemos, SecurityFocus Published Sunday 3rd June 2007 08:02 GMT Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information. Having recently left the National Security Agency, the security professional decided to try his hand at selling the bug to the U.S. government. In a paper due to be presented next week at the Workshop on the Economics of Information Security (http://weis2007.econinfosec.org/), Miller - now a principal security analyst at Independent Security Evaluators - writes about the experience and analyzes the market for security vulnerabilities. In the case of the Linux flaw, one agency offered him $10,000, while a second told him to name a price. When he said $80,000, his contact quickly agreed. "The government official said he was not allowed to name a price, but that I should make an offer," Miller told SecurityFocus. "And when I did, he said OK, and I thought, 'Oh man, I could have gotten a lot more.'" The sale underscores a significant problem for vulnerabilities researchers that attempt to sell a flaw: Determining the value of the information. In addition, time is a major factor: Miller felt pressured to complete the deal, because if anyone else found and disclosed the flaw, its value would plummet to zero. In a second attempted sale outlined in the paper, the disclosure clock ran out for Miller as he tried to sell a PowerPoint flaw that Microsoft patched this past February before the researcher could close the deal. Yet, researchers that sell vulnerabilities should also consider the ethical issues involved, said Terri Forslof, manager of security response for TippingPoint, a subsidiary of networking giant 3Com. "The value of the vulnerability is determined by the amount of time that the vulnerability can be used to get a return on investment before it is patched," Foslof said. "If I'm paying $50,000 for a vulnerability, what am I doing with it? I'm likely not trying to get it patched." Miller's paper comes as sales of vulnerability information are becoming more common (http://www.securityfocus.com/news/11437). Driven by researchers' reluctance to give away hard-won information for free and the standardization on flaw bounties through initiatives such as iDefense's Vulnerability Contributor Program (http://www.securityfocus.com/brief/405) and 3Com's Zero-Day Initiative (http://www.securityfocus.com/news/11253), flaw finders are increasingly trying to get paid for their work. Miller found out that selling a flaw for a fair price is difficult. While the unnamed government agency offered the researcher $80,000, they placed a condition on the sale that the exploit would have to work against a particular flavor of Linux. Two weeks later and worried that the flaw might be found, Miller accepted a lesser offer from the same group for $50,000 for the exploit as is. "While I was paid, it wasn't a full success," he wrote in the paper (PDF (http://weis2007.econinfosec.org/papers/29.pdf)). "First, I had no way to know the fair market value for this exploit. I may have been off by a factor of ten or more." Moreover, Miller had contacts in the government, but could not initially find the right people with which to deal. So, he offer a 10 percent cut to a friend who had better contacts. Other researchers might not be able to find the right contacts to complete similar deals. "The only reason this sale happened at all was because of personal contacts I had, which should not be necessary for a security researcher who wants to make a living," he wrote in the paper. The sale of a second vulnerability did not go so well. In January, Miller was approached by a friend who wanted to sell a flaw in Microsoft PowerPoint XP and 2003. Miller found very little guidance in the market to help him set a price, but he believed a company would pay up to $20,000 for the flaw and a government agency, perhaps $50,000. In reality, he only had a handful of offers but haggled one company up to $12,000. Before he could close the deal, however, Microsoft released a fix for the issue. The delay and difficulty in finding a buyer and the problems in setting a price had essentially scuttled the deal, Miller said. "I don't think it fair that researchers don't have the information and contacts they need to sell their research," Miller said. Yet, TippingPoint's Forslof stressed that selling to the government is not necessary setting a fair price for a vulnerability. Legitimate markets include companies that use vulnerability information to protect their customers while they contact the vendor to get the issue fixed. The government generally constitutes a gray market, because they most likely are not going to notify the vendor and the researcher does not know how they are going to use the information. The black market, where the buyers are likely to use the vulnerability for illicit purposes, would likely pay the most money but put end users in the most jeopardy. "There are a range of prices when you are talking about fair market value versus black market value," she said. "And the government is in a class of their own. It's a matter of what is going to happen to that vulnerability and how they are going to use it." The answers to those questions drove one researcher to deal with a vulnerability-buying program rather than selling to a government agency. Security researcher Aviv Raff (http://aviv.raffon.net/) found two trivial-to-exploit vulnerabilities in a component of the Windows Vista operating system late last year. He shopped the more critical flaw to a number of security companies as well as the two major vulnerability-purchase programs. While some of the security companies bested the offers from TippingPoint and iDefense, he declined to sell the flaw to them because they would not commit to notifying Microsoft of the issue. For the same reason, selling the vulnerability to the government was out of the question as well. "I wouldn't mind (selling the information to the government), if I knew they will report it to Microsoft," Raff said. Because of the terms of the sale, Raff cannot mention the name of the program to which he sold the vulnerability nor the price at which he sold it, except to say it's much less than $80,000. Raff directly notified Microsoft of the less critical of the two vulnerabilities. The software giant has not yet patched the flaws. This article originally appeared in Security Focus (http://www.securityfocus.com/news/11468). Copyright ? 2007, SecurityFocus (http://www.securityfocus.com/ From rforno at infowarrior.org Sun Jun 3 22:19:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 03 Jun 2007 18:19:53 -0400 Subject: [Infowarrior] - Thoughts on the JFK "terror" plot Message-ID: Peering through the political rhetoric, this guy's blog entry sums up a nearly-identical chat I had this morning with some security folks who wondered the same thing....also noting that this seems to be just another "aspirational" terrorist threat like the Miami cell, the Brooklyn Bridge Blowtorcher, and others. *facepalm* -rf Notice a pattern here? by clammyc Sun Jun 03, 2007 at 09:08:42 AM PDT As the constant drumbeat of the colossally stupid "fighting them over there so we don?t have to fight them over here" and "we must be safer since we haven?t been attacked since 9/11" memes fail to fade from discourse, a consistent pattern has emerged with respect to the "terror plots" (and I use the quotes since some of these are absolutely absurd as far as true plots go) which we are hearing about. The latest one being the "alleged plot to destroy JFK airport" - it is yet another reminder of a few very basic things: < - > http://www.dailykos.com/storyonly/2007/6/3/12644/73257 From rforno at infowarrior.org Mon Jun 4 16:56:24 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Jun 2007 12:56:24 -0400 Subject: [Infowarrior] - RIAA Accused of Extortion and Conspiracy in Tampa, Florida, case Message-ID: RIAA Accused of Extortion and Conspiracy in Tampa, Florida, case, UMG v. Del Cid In a new Tampa, Florida, case, UMG v. Del Cid, the defendant has filed the following five (5) counterclaims against the RIAA, under Florida, federal, and California law: 1. Trespass 2. Computer Fraud and Abuse (18 USC 1030) 3. Deceptive and Unfair Trade Practices (Fla. Stat. 501.201) 4. Civil Extortion (CA Penal Code 519 & 523) 5. Civil Conspiracy involving (a) use of private investigators without license in violation of Fla. Stat. Chapter 493; (b) unauthorized access to a protected computer system, in interstate commerce, for the purpose of obtaining information in violation of 18 U.S.C. ? 1030 (a)(2)(C); (c) extortion in violation of Ca. Penal Code ?? 519 and 523; and (d) knowingly collecting an unlawful consumer debt, and using abus[ive] means to do so, in violation of the Fair Debt Collection Practices Act, 15 U.S.C. ? 1692a et seq. and Fla. Stat. ? 559.72 et seq. Answer and Counterclaims* Ms. Del Cid is represented by Michael Wasylik of Ricardo & Wasylik, in Tampa, Florida. http://recordingindustryvspeople.blogspot.com/2007/06/riaa-accused-of-extort ion-and.html From rforno at infowarrior.org Mon Jun 4 17:01:26 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Jun 2007 13:01:26 -0400 Subject: [Infowarrior] - Terror Plot + Google Earth = OMFGSCARY Message-ID: The current DRUDGE REPORT headline: "JFK TERROR SUSPECT: USE GOOGLE EARTH FOR DETAILS" Ummm.....would there be such hysterics if the bad guys had used Rand McNally road maps or AAA travel guides? Give me a bleepin' break! Yet as always, once the Internet is found to be involved, the sensationalism level of any terror-related story rises exponentially. But not to be undone, the Drudge links to this site for more details: http://www.thesmokinggun.com/archive/years/2007/0604071google1.html Google As Terror Tool? JFK terror plotter directed cohorts to use satellite mapping service JUNE 4--One of the plotters behind the alleged scheme to explode gas pipelines at John F. Kennedy airport directed his co-conspirators to use Google Earth to obtain detailed aerial photos of the targeted facility. In a federal criminal complaint, an excerpt from which you'll find below, one of the accused, Abdul Kadir, reportedly told cohorts to use the popular satellite software after he determined that surveillance video shot by the men was "not sufficiently detailed for operational purposes." Kadir, a Guyanese citizen and former member of that country's parliament, made the Google suggestion during a February meeting with an alleged co-conspirator and a government informant (Kadir and three other men have been charged with planning the terror attack). According to the complaint, the snitch followed through and obtained the Google aerial images of JFK, which the men code named the "chicken farm." At a May 11 meeting in Guyana, Kadir was shown the surveillance video and the Google Earth maps of JFK by the informant and Russell Defreitas, one of those charged in the airport attack plan. Defreitas, the complaint notes, "identified, among other things, the fuel tank locations and air traffic control tower." For his part, Kadir "asked many questions about the maps, including the distance between the street and the fuel tanks." (6 pages) From rforno at infowarrior.org Tue Jun 5 00:45:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Jun 2007 20:45:53 -0400 Subject: [Infowarrior] - US court rejects FCC broadcast decency limit Message-ID: US court rejects FCC broadcast decency limit (Note strong language in paragraphs 4, 6. Adds analyst in paragraph 8) By Martha Graybow NEW YORK, June 4 (Reuters) - In a major victory for TV networks, a U.S. appeals court on Monday overruled federal regulators who decided that expletives uttered on broadcast television violated decency standards. The U.S. Court of Appeals for the Second Circuit in New York, in a divided decision, said that the U.S. Federal Communications Commission was "arbitrary and capricious" in setting a new standard for defining indecency. The court sent the matter back to the commission for further proceedings to clarify its indecency policy. The FCC, which said it was still studying the opinion, could decide to ask the U.S. Supreme Court to reverse the appeals court. < - > (profanity under the cut) http://asia.news.yahoo.com/070604/3/32w7k.html From rforno at infowarrior.org Tue Jun 5 00:51:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Jun 2007 20:51:45 -0400 Subject: [Infowarrior] - RIAA capitulates in Atlantic v. Anderson Message-ID: RIAA throws in the towel in Atlantic v. Andersen By Eric Bangeman | Published: June 04, 2007 - 04:04PM CT http://arstechnica.com/news.ars/post/20070604-riaa-throws-in-the-towel-in-at lantic-v-andersen.html One of the most notorious file-sharing cases is drawing to a close. Both parties in Atlantic v. Andersen have agreed to dismiss the case with prejudice, which means that Tanya Andersen is the prevailing party and can attempt to recover attorneys fees. Tanya Andersen was originally sued by the RIAA in 2005. She's a disabled single mother with a nine-year-old daughter living in Oregon; she was targeted by the music industry for downloading gangster rap over Kazaa under the handle "gotenkito." She denied engaging in piracy and in October 2005, she filed a countersuit accusing the record industry of racketeering, fraud, and deceptive business practices, among other things. As we noted earlier today, counterclaims accusing the RIAA of all sorts of wrongdoing have become increasingly common. Late last month, Andersen filed a motion for summary judgment, saying that the plaintiffs have "failed to provide competent evidence sufficient to satisfy summary judgment standards" to show that she engaged in copyright infringement. Most notably, a forensic expert retained by the RIAA failed to locate "any evidence whatsoever" on Andersen's PC that she had engaged in file-sharing. The RIAA has already taken a beating in the press in this case?accusing a disabled single mother of sharing songs like "Hoes in My Room" over Kazaa and then pressing doggedly ahead with the case despite mounting evidence that it had erred tends to look bad. Faced with the prospect of a case that was all but unwinnable, the RIAA has cut its losses by agreeing to dismiss the case. What's unusual is that the RIAA has stipulated to a dismissal with prejudice, completely exonerating Andersen. Next to a negative verdict, an exonerated defendant is the last thing the RIAA wants. When faced with an undesirable outcome, the RIAA's tactic has been to move to dismiss without prejudice, a "no harm, no foul" strategy that puts an end to a lawsuit without declaring a winner and a loser. Dismissing a case with prejudice opens the RIAA up to an attorneys' fee award, which happened in the case of another woman caught in the music industry's driftnet, Debbie Foster. With the original RIAA complaint has dismissed, Andersen told Ars Technica in an e-mail that the counterclaim is "now standing on its own," meaning that she will still have the opportunity to argue her counterclaims before the court. Given the allegations she has made, prevailing with the counterclaim could prove even more troubling to the RIAA. Given the facts of the case and the precedent set by Capitol v. Foster, an attorneys' fee award is not out of the question. Getting the RIAA to actually cut a check may prove to be a bit more difficult, as Foster's attorneys have discovered. You can track the progress of Foster's attempts to recover fees?and many other file-sharing cases?at Recording Industry vs. The People. From rforno at infowarrior.org Tue Jun 5 11:22:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Jun 2007 07:22:53 -0400 Subject: [Infowarrior] - The JFK Plot: Overstating the Case? In-Reply-To: <001501c7a754$4b947360$0201a8c0@DB0PJ521> Message-ID: This is a really good commentary......wish I'd written it......rf http://www.time.com/time/nation/article/0,8599,1628169,00.html Times Monday, Jun. 04, 2007 The JFK Plot: Overstating the Case? By Amanda Ripley/Washington On Saturday, the U.S. Attorney for the Eastern District of New York, Roslynn Mauskopf, went on TV with FBI and police officials to announce a victory. Four men had been charged in what Mauskopf described as "one of the most chilling plots imaginable." If successful, she said, the plot "could have resulted in unfathomable damage, deaths and destruction." And just in case there was any doubt about the gravity of the plot, she added, "The devastation that would be caused had this plot succeeded is just unthinkable." But the 33-page complaint against the men, issued by Mauskopf's office, describes a plan that is somewhat less impressive. The four suspects, Russell Defreitas, Kareem Ibrahim, Abdul Kadir and Abdel Nur, allegedly schemed to blow up fuel tanks and a fuel pipeline at JFK Airport. This plan did not target passenger terminals or airplanes. It was an attack on ... jet fuel. Which would have been rather hard to pull off successfully. "Jet fuel is flammable and can be made to explode, but it's difficult," says Richard Kuprewicz, an independent energy consultant who has worked with pipeline operators for 33 years. Even if someone did manage to blow up a fuel tank, the resulting fire would not spread through the main pipeline, he says. "Are they true terrorism targets that would shut down JFK for weeks or even days? No." Excerpts from taped conversations with the suspects, included in the complaint, make it clear that, while they may have dreamed of pulling off a major terrorist strike, they had very little idea what they were actually doing. In the worst-case scenario, there might have been a fire ? which would have been contained to an unpopulated area of the airport, since that's where the tanks and the pipeline are located. "This whole theory that they were going to blow up this entire 40-mile pipeline shows na?vet? in my mind," says Roy Haase, spokesperson for the Buckeye Partners LP, which runs the pipeline in question. "They were foolish." Still, on Monday, Mauskopf's spokesperson stood by the strong language: "All I would say to you is reread the complaint, and it's clear from what these defendants have said what their plans were." When pressed, he defaulted to the inevitable trump card: "The individuals that carried out the 9/11 attacks, if you were to talk about what they planned to do with plane tickets and box cutters, take down the Twin Towers, that's an unbelievable plot." But the issue here is not that the plot is hard to believe. If it turns out to be true, the authorities did an excellent job foiling a plot before it happened. The problem is the fear mongering, the fact that all too often these days, the rhetoric around these anti-terror arrests doesn't fit the charges. It is hardly the first time we've seen officials get overstimulated when announcing terrorism charges. Remember Jose Padilla? Or the "more-aspirational-than-operational" Seas of David group?. So why is is that, in so many terror cases, prosecutors seem to go out of their way to make alleged bad guys sound scarier than they are? 1) Legal Gamesmanship Even though the trial may be years away, it has already begun for the prosecutor. The blockbuster press conference is a way to influence potential jurors, judges and attorneys before they even get selected. "This is their first best punch. It's the first time the prosecutor has an unobstructed shot at reaching the public and jurors, too," says Brian Levin, a specialist on terrorism prosecutions and an associate professor of criminal justice at California State University San Bernardino. "Prosecutors know that this is the one time they'll be able to make their case live with very little questioning. You're going to use great, nonspecific words to describe the gravity of the case." 2) Fear Anyone who prosecutes terrorism cases knows that the U.S. is going to be hit again. When it happens, prosecutors ? and FBI agents and police ? will feel much better knowing that they hit suspected terrorists hard, even if only rhetorically. Otherwise, after the next attack the public will legitimately ask for their heads. 3) Pressure From Above "There's incredible pressure to bring high-profile cases that show that the government is doing its job," says Levin, who trains prosecutors and is himself a former New York City Police Department officer. Since 9/11, prosecutors have been forced to act pre-emptively, making arrests earlier than they ever would have before. But they still use the same scorched-earth rhetoric when talking up their cases. 4) Belief The suspects in this case had malicious intentions, according to the complaint. One of them allegedly told the government's informant that he hoped to outdo the 9/11 attacks and devastate the U.S. economy. Even if he was delusional, his ambitions were nasty: "Anytime you hit Kennedy, it is the most hurtful thing to the United States," Defreitas allegedly told the informant. "They love John F. Kennedy like he's the man." Prosecutors are charged with protecting Americans from terrorists, so they wouldn't be doing their jobs if they didn't find this kind of talk appalling. 5) Careerism Of course, a high-profile counter-terrorism success is also great resume builder, too. It's probably worth mentioning that Mauskopf's nomination to the federal bench has been stalled by Senator Russell Feingold, who seems to think she is too cozy with the Bush administration when it comes to death penalty prosecutions. A big terrorism case can boost a prosecutor's reputation in Congress. 6) Money Nefarious plots help justify more federal counter-terrorism resources. "Once again, would-be terrorists have put New York City in their crosshairs," NYPD Commissioner Ray Kelly made sure to note at the press conference. The next day, New York Congressman Peter King put a finer point on it: "It certainly demonstrates that New York needs more money, and that New York is the No. 1 target." 7) Ego There are simpler forces at work, too. Many cops and prosecutors like to turn their targets into superheroes. It helps to justify their hard work and make life more interesting. 8) No Downside And finally, the best reason to overstate the case? Because there's no risk. Prosecutors do not tend to get rebuked for using strong language when describing would-be terrorists. And they figure that if they later find out they were wrong, the public record will show that the charges were dropped. No harm done, right? Except that there is harm done. Two days after the press conference, the New York Sun ran a story under the headline, "JFK Pipeline is 'Ticking Time Bomb.'" Residents were quoted fretting about the coming Armageddon. But the pipeline has been around since 1966, and there has never been an explosion. It pumps eight million gallons of fuel around New York City every day, and it does so far more safely than trucks or trains ever could. The larger penalty is even more insidious. This time, the Washington Post and Los Angeles Times ran front-page stories repeating Mauskopf's superlatives. Next time, when the complaint actually supports her claims, they may not. No one wants to look like a chump twice. Not even regular citizens. So every time the government is found to be embellishing its case, members of the public lose a little bit of faith. They might eventually begin to think the terrorism threat is not very serious after all. They might understandably discount what authorities say. And that kind of complacency, even if it is indirectly caused by good attorneys who are just trying to do their jobs, is, well, "chilling." From rforno at infowarrior.org Tue Jun 5 14:35:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Jun 2007 10:35:08 -0400 Subject: [Infowarrior] - Concerns Emerge Over iTunes User Data Message-ID: AP ? New York Times ? MSNBC ? USA TODAY ? AP Hi Tech Concerns Emerge Over iTunes User Data http://apnews.myway.com/article/20070605/D8PIKO3O0.html Jun 5, 7:40 AM (ET) By MAY WONG SAN JOSE, Calif. (AP) - Apple Inc. (AAPL) (AAPL)'s recent rollout of songs without copy protection software at its iTunes Store has given consumers new flexibility, but questions have emerged over the company's inclusion of personal data in purchased music tracks. Are the songs that are being billed as free of so-called digital rights management technology really "DRM-free" or are there still strings attached? The Electronic Frontier Foundation, a consumer watchdog group, said the embedded user information in the purchased track raises privacy issues. Apple declined to comment. The trendsetting Cupertino-based company has always embedded user information - a user name and e-mail - into its copy-protected tracks. But until the market-leading iTunes Store began offering DRM-free music last week, no one raised much of a ruckus. DRM technology puts a sort of software lock on digital songs or movies, dictating where and how the content can be played and distributed. With DRM-free content, some songs purchased from iTunes now work directly on portable players other than Apple's iPod, including Microsoft Corp. (MSFT)'s Zune. Though piracy of digital music over the Internet remains unabated even with the growth of legitimate online retailers like iTunes, Apple's debut of DRM-free songs could tempt some of its users to share their purchased tracks with others online. Technology blogs Ars Technica and The Unofficial Apple Weblog were among the first to reveal that personal data remained in the unrestricted iTunes tracks. Their reports last week prompted speculation that the data could be used to trace copies uploaded to online file-sharing networks back to the people who originally purchased the tracks, opening those users to music industry copyright lawsuits. The Recording Industry Association of America, whose piracy lawsuits have ensnared organized outfits as well as individual grandmothers and youths, declined to comment. EMI Group PLC, the major record label behind Apple's inaugural batch of DRM-free songs, also declined to comment. "DRM prevented us from playing the music we have purchased on all of our devices. We asked that this be removed and we got what we were looking for," said Erica Sadun, a prolific technology blogger on TUAW.com and author who conducted her own tests of Apple's embedded identification tags. "But I'm on the fence in terms of the privacy issues," she said in an interview. "Consumers should always know what they're getting into." The Electronic Frontier Foundation, which also analyzed the DRM-free song files on iTunes, said it did not want to jump to any conclusions on Apple's reasons for embedding the personal data. Besides, users can remove their identifying data from the files simply by burning the tracks to a CD and then ripping the songs back to their computer in the MP3 format, said Fred Von Lohmann, an attorney with the San Francisco-based group. Still, the group takes issue with the fact that the personal information stored in these type of song files is not encrypted. If someone were to lose their iPod or have their laptop stolen, for example, anyone using simple software tools could access the personal data in the songs, von Lohmann suggested. "It just seems careless and unwise for somebody like Apple to start planting this kind of personal information without protection in the files," von Lohmann said. "It's not as bad as leaking your credit card number or your Social Security number, but it's still a pretty careless security leak." Michael Gartenberg, an analyst at JupiterResearch, said he does not think Apple planned to use the personal data as a secretive tracking tool. "I think it's more of a way of retaining a proof of purchase," he said, adding how the identifying tags on copy-protected tracks likely facilitated Apple's ability to approve user upgrades to previous song purchases. "'DRM-free' means I'm not restricted from putting the songs on other devices anymore, but it doesn't give users a license for piracy," he said. Ultimately, whether it's intentional or just an inadvertent deterrent for the illegal sharing of digital tunes, Gartenberg predicts other major online music retailers will similarly embed user tags once they, too, start to introduce DRM-free songs. "I think everyone is going to have to do this as some way for tracking purchases," he said. Sadun agreed. "It's a brilliant compromise," she said, "between the forces of the music industry which have been too heavy handed and the forces of consumers who perhaps have pulled too far toward information freedom." Online music retailer eMusic.com, which sells songs in the unrestricted MP3 format mostly from independent labels, says it keeps of a record of user purchases on its own computer servers but doesn't place any kind of user data in any of its tracks sold. Apple should be more upfront about its purpose for the embedded information, said David Pakman, eMusic's chief executive. "You should tell customers what you're doing with it before they spend money with you," he said. --- AP Business Writer Alex Veiga in Los Angeles contributed to this report. From rforno at infowarrior.org Thu Jun 7 18:32:15 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Jun 2007 14:32:15 -0400 Subject: [Infowarrior] - Akamai Releases Internet Health Reporting System Message-ID: June 7, 2007 - Akamai Introduces First-of-its-Kind, Real-Time View into Health of the Internet Company creates a virtual weather map of Internet conditions, measuring attack traffic, network latency between major cities, traffic volume and network performance CAMBRIDGE, MA - June 7, 2007 - How healthy is the Internet? Akamai Technologies, Inc. (NASDAQ: AKAM) unveiled today a unique set of tools that provide a view into the real-time wellbeing of the Internet. Visit www.akamai.com/visualize to view how the Internet is performing at this moment. Operating the world's largest distributed computing platform for accelerating online content and applications for today?s most successful businesses, Akamai has deployed over 25,000 servers in more than 750 cities that are used by content providers to bypass the inherent bottlenecks that exist as part of the Internet?s infrastructure. Serving as a virtual air-traffic controller for the billions of Web pages, streams, software downloads, and application transactions traversing the Internet, Akamai is providing the public ? for the first time ? with a visual understanding of why some Web traffic may be slow, infected, or simply non-existent. "Its easy to take for granted that the Internet will always be on, and always working," said Tom Leighton, co-founder and chief scientist of Akamai. ?Reality shows us that there are many factors, on any given day, degrading the Internet?s performance. Some are malicious, and some are the result of the incredible amount of content being requested at any one time. Akamai is in a unique position to monitor the Internet in real-time, identifying where and when the Internet is being taxed. The services we provide, leveraging this data, are geared toward helping our customers overcome the challenges of the Internet so they can effectively conduct business online." Akamai is introducing three distinct data visualization tools, each with interactive settings, allowing visitors to customize the data based on interest. Continues Leighton, "Although there is a great deal more that we monitor daily on the Internet on behalf of our customers, these tools are a first for giving the public a view into the Internet?s growth, stability and potential trouble spots." VISUALIZING THE INTERNET Real-Time Web Monitor http://www.akamai.com/html/technology/dataviz1.html (move the ?zoom window? to see greater detail.) Offering three modes of visualizing the Internet in real-time, the Real-Time Web Monitor identifies the global regions with the greatest attack traffic, cities with the slowest Web connections (latency), and geographic areas with the most Web traffic (traffic density). * Attack Traffic Akamai displays real-time attack traffic by geo-region (state, province or country). This visualization is based on data collected that includes the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. * Latency/Speed Akamai measures network latency between most major cities via regularly automated tests. These tests consist of web connections and downloads, as well as Internet Control Message Protocol (ICMP) pings. Displayed in this interface are the current top ten worst performing cities. Absolute Latency depicts the current latency of a given city, while Relative Latency depicts the differential between the city's current latency and its historical average latency. * Network Traffic Akamai monitors the amount of data being requested and delivered by geography at any given moment in time. Displayed in this interface are the top ten regions with the current highest traffic volumes. Network Performance Comparison http://www.akamai.com/html/technology/dataviz2.html Akamai's route optimization technology is designed to improve the performance and reliability of dynamic applications and content delivered over the Internet. The Network Performance Comparison tool illustrates how Akamai identifies the fastest and most reliable path available between an Akamai edge server and an enterprise's origin data center to retrieve dynamic content. To utilize this tool, select a pair of cities to compare Akamai versus the public Internet. Visualizing Akamai http://www.akamai.com/html/technology/dataviz3.html Akamai handles, at times, 20 percent of the world's total Web traffic, providing a unique view into what's happening on the Web. This tool provides insight into the world's online behavior at any given moment including how much rich media is on the move, the sheer volume of data being requested, the number and concentration of worldwide visitors, and average connection speeds worldwide. Net Usage Indices These data visualization tools accompany Akamai's existing Net Usage Indices measuring real-time online consumption of News, Retail and Music. All of the indices are intended to provide unique insight into the massive cultural and economic changes resulting from the ways people worldwide get news and information and act as consumers online. The Akamai Net Usage Indices measure Internet traffic dedicated to an aggregate set of Web sites, monitoring consumption by continent, as well as the world as a whole. Akamai's Indices do not release specific customer data, but show an aggregate view of web traffic to the sites that Akamai supports. For each Index, there is a downloadable widget available, such as the following for News: http://www.akamai.com/html/technology/nui/news/widgets.html From rforno at infowarrior.org Thu Jun 7 18:43:19 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Jun 2007 14:43:19 -0400 Subject: [Infowarrior] - Politicos threaten schools over campus piracy Message-ID: CNET News.com http://www.news.com/ Politicos threaten schools over campus piracy By Anne Broache http://news.com.com/Politicos+threaten+schools+over+campus+piracy/2100-1028_ 3-6188887.html Story last modified Tue Jun 05 17:23:38 PDT 2007 WASHINGTON--Politicians on Tuesday threatened to enact new laws if universities don't do more to prevent their students from unlawfully swapping music, movies and other copyrighted files on campus networks. At the latest in what has become a multiyear series of hearings focused on university campus piracy, members of the U.S. House of Representatives' Science and Technology Committee said college administrators must seriously consider using not only educational campaigns but also technological filters to reduce illicit file swapping among students. "Illegal file sharing isn't just about royalty fees," committee chairman Bart Gordon (D-Tenn.) said at the hearing, which lasted a little more than an hour. "It clogs campus networks and interferes with the educational and research mission of universities." Relatively cheap broadband connections and readily available digital media works have made it easier and more tempting than ever to share copyrighted content illegally, said Rep. Ralph Hall (R-Texas), the committee's ranking member. "This rampant disregard for copyright law needs to end," he told the panel, which included administrators from the University of Chicago, Illinois State University, Arizona State University and the University of Utah. The problem in policing Internet connections is, however, that besides April Fools' jokes like the omniscience protocol, it's hardly easy for a network provider to detect which packets are carrying illegal copyrighted material and which are not. About the best universities can do is measure the amount of information transmitted, which might indicate unlawful content--or might not, because there are many legitimate academic uses for bandwidth-saturating activity. And encrypted data can make any kind of filtering task near-impossible. Rep. Tom Feeney (R-Fla.), also a member of the House Judiciary Committee, which writes copyright laws, suggested Congress should withhold funding from universities if they don't police their networks adequately. Universities receive tens of billions of dollars a year in federal research money, and the Department of Education handed out $82 billion in 2007 in new grants and loans to students. "We're spending a good deal of federal resources in terms of helping universities with their technological improvements, directly and indirectly," Feeney said. "Is it responsible for a Congress that wants to protect intellectual property rights to continue to fund network enhancements for universities if some of those enhancements are indirectly being used in fact to promote intellectual property theft?" (That seemed to be a reference to the Internet2 project, funded in part by taxpayers.) Tuesday's hearing comes as both politicians and entertainment industry representatives have continued to pressure universities to crack down on perceived piracy problems. The Recording Industry Association of America and the Motion Picture Association of America sent letters in late April to the presidents of 40 universities in 25 states, asking them to halt their students' use of programs that allow them to trade files against their schools' local area networks while skirting the public Internet. And last month, the leaders of the Judiciary Committee, including longtime copyright crackdown advocates Reps. Lamar Smith (R-Texas) and Howard Berman (D-Calif.), sent letters to 19 universities considered to be the top piracy offenders, asking a number of questions about the policies they have in place and threatening to consider congressional action if their answers were unacceptable. Rep. Jim Sensenbrenner (R-Wis.), also a member of both committees, cited years-old figures from his alma mater, Stanford University, that 80 percent of the campus' bandwidth was being used for file sharing. "To say file sharing on university campuses does not drive up the cost of education is just flat-out false," he said. "The more we can do to have the technology to keep this from happening in the first place, the better off students will be." The cost of file sharing Charles Wight, associate vice president for academic affairs and undergraduate studies at the University of Utah, said his school had saved $1.2 million in bandwidth costs and about $70,000 in personnel costs since implementing a two-pronged approach to rooting out file sharing three years ago. He said the university's information security office employs a combination of continuous monitoring of its networks for high-bandwidth users and runs software made by a company called Audible Magic, which is designed to match and block the exchange of copyrighted files through audio "fingerprinting," on its student residence networks. Arizona State University Chief Technology Officer Adrian Sannier reported success in reducing illegal file sharing through a similar approach. In response to a question posed by Hall, all the university representatives present said they believed such technological solutions were part of the answer to reducing illicit file sharing but that they're far from foolproof. (In addition, file sharing can be used for non-infringing purposes at universities and corporations, as the U.S. Supreme Court noted in the Grokster case.) Some officials had more favorable views about filtering and blocking. Greg Jackson, chief information officer for the University of Chicago, said his school had tried to block file-sharing traffic using various methods, but when one program failed, it took down all of the university's Internet traffic with it, stumping the technical staff for "a while." Now on News.com Palm hands Wall Street an unusual deal Apple, AT&T stores prepare for iPhone frenzy Images: The time element in Google's Street View Extra: 'Spider-Man' director creating Internet series Jackson and Illinois State University dean of libraries Cheryl Elzy also blamed the entertainment industry for some of the piracy problems. "So long as the right thing remains more daunting, awkward and unsatisfying than the wrong thing, too many people will do the wrong thing," Jackson said, referring to the digital rights management technology used widely in legally purchased music files. Both Elzy and Jackson endured grilling from some committee politicians who accused them of not taking seriously the viability of technological solutions. "If we rely on technology too much, it's going to interfere with legal uses of peer-to-peer technologies," Elzy said. Some of her own library files can be quite large, she added, and "I'd like to not have those blocked." CNET News.com's Declan McCullagh contributed to this report. Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Jun 8 11:28:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Jun 2007 07:28:17 -0400 Subject: [Infowarrior] - Comcastic Logic Message-ID: The latest Comcraptastic marketing logic as evidenced in one of their current and more-annoying commercials: "Before cable forced broadband competition, doctors and patients couldn't connect effectively (thus suggesting medical care suffered as a result). But thanks to cable broadband, that's now possible." ...so until now -- and all joking aside -- patients and doctors never communicated with each other until cable came to town? Madison Avenue never ceases to confuse, amuse, amaze, and annoy me. -rick From rforno at infowarrior.org Fri Jun 8 13:18:01 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Jun 2007 09:18:01 -0400 Subject: [Infowarrior] - Digital signatures get Web standards nod Message-ID: Digital signatures get Web standards nod By Stephen Shankland http://news.com.com/Digital+signatures+get+Web+standards+nod/2100-1013_3-618 9527.html Story last modified Thu Jun 07 16:51:48 PDT 2007 A standards group has completed work on digital signature technology designed to ensure data authenticity between interacting Web servers. Version 1.0 of the Digital Signature Services standard provides a tamper-proof mechanism to provide electronic timestamps, postmarks or official corporate imprimaturs. Members of the Organization for the Advancement of Structured Information Standards (OASIS) gave the digital signature standard its highest level of ratification, the standard group said Thursday. OASIS governs many emerging standards in the domain of Web services, a term that refers to sophisticated interactions of different servers over the Internet. With a digital signature Web service, a company could use a separate server to handle the chore rather than building it directly into each application that needed it. Now on News.com The do-gooders' guide to Google Earth Newsmaker: Exposing software flaws--no easy job Photos: The look of tech at Computex Extra: The real cost of offshoring The digital signature standard has two components, one for the signature itself and one for verification of the signature, OASIS said. So, for example, a computer service could send a document to a server to receive a digital signature or send a document and its signature to a server that will verify the document's authenticity. One organization that has an interest in digital signatures and that worked with OASIS to develop the standard is the Universal Postal Union, a United Nations agency. It's working to incorporate the digital signature standard into its Electronic Post Mark system (UPU EPM), OASIS said. Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Jun 8 13:20:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Jun 2007 09:20:13 -0400 Subject: [Infowarrior] - Vietnamese fishermen 'salvage' Internet lines Message-ID: EE Times: Semi News Vietnamese fishermen 'salvage' Internet lines Reuters EE Times (06/07/2007 12:26 AM EDT) http://www.eetimes.com/news/semi/showArticle.jhtml?articleID=199902343 HANOI ? Fishermen who were allowed to take unused war-era undersea copper cables have gone too far, "salvaging" fibre-optic lines providing some of Vietnam's Internet and other international communications. A Ministry of Posts and Telematics report seen on Thursday urged authorities in central and southern regions to prevent the theft of cable, whose loss underdeveloped Vietnam can ill afford. "The general assessment is that most fishermen, and in some cases even the local authorities, had a very simple understanding of the consequences of the theft of under-sea fibre optic cable," the report on a May 31 to June 5 investigation said. State-run newspapers said an 11-km (7-mile) section of stolen TVH fibre-optic cable would be replaced at a cost of $5.8 million. It was part of the line that transmits data from Vietnam to Thailand and Hong Kong. In all, about 43 km (27 miles) of fibre-optic cable is missing, including about 32 km (20 miles) stolen from a cable operated by a Singaporean company. "Now just one undersea cable connects Vietnam with the outside world," Thanh Nien (Young People) newspaper said. The theft began after the government in the southern province of Ba Ria-Vung Tau last year allowed fishermen and soldiers to salvage undersea copper cable laid before 1975 to sell as scrap. The Vietnam war in which the United States backed a South Vietnam government, ended in April 1975 when communist North Vietnam troops captured Saigon, now Ho Chi Minh City. The permission to salvage the cable has been withdrawn, the ministry has asked the Coast Guard to increase patrols and inspections and officials have started a public relations campaign to educate fishermen about the importance of the cables. Copyright 2007 Reuters. From rforno at infowarrior.org Sat Jun 9 13:37:20 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 09 Jun 2007 09:37:20 -0400 Subject: [Infowarrior] - DOJ lawer refuses Congressional request for legal opinion on surveillance Message-ID: Justice Lawyer Refuses to Give Congress Legal Opinions on NSA Surveillance Program http://blog.wired.com/27bstroke6/2007/06/justice_lawyer_.html By Luke O'Brien EmailJune 07, 2007 | 3:29:43 PMCategories: Politics, Surveillance 413pxgeorge_iii_in_coronation_robes Clearly, the Justice Department has nothing to hide. After an hour of stirring talk from witnesses about the need for checks and balances, executive branch transparency and the miscalculations of inherent power that led to the American Revolution, Justice lawyer Steven Bradbury had precious little to say when Rep. Jerry Nadler (D-New York) asked him to provide the legal opinions the Bush administration relied on when unleashing a secret warrantless NSA surveillance program that ended up spying on American citizens: "No." Bradbury said the documents are confidential and suggested that if the committee were to try to get at them, executive privilege might get in the way. Of course, the president, who Bradbury said re-authorized the NSA program every 45 days for almost six years, would have to erect that hurdle himself. "So you're saying you won't give to Congress the requested documents because they assert an executive privilege that you haven't asserted?" asked an incredulous Nadler. Yes. The first House oversight hearing on the NSA's warrantless Terrorist Surveillance Program went pretty much the same way: Legal heads railing about how the White House has circumvented both the Foreign Intelligence Surveillance Act and the Fourth Amendment, and administration mouthpieces obfuscating with disturbing ease. Jameel Jaffer, an ACLU lawyer who represents a coalition of criminal defense attorneys, journalists, and scholars that had formally challenged the legality of the NSA program (last year, a federal court in Michigan agreed with the ACLU that the program was illegal; the Bush administration has appealed the decision.), urged Congress to issue subpoenas to learn more about the executive branch's legal justifications, the involvement of telecoms and what secret surveillance activities are going on today. But Nadler's opening remarks may have best captured the spirit of a hearing in which the specter of arsenic-mad King George III was invoked: "We rejected monarchy in this country more than 200 years ago. That means that no President may become a law unto him or herself. As with every part of government, there must always be checks and balances. This President appears to have forgotten that fact. Not only has he asserted the right to go around the FISA Court and the Wiretap Act, but he has actually done so. Even more disturbing, he does not believe that he is accountable to the Congress, the courts, or anyone else....Many have begun to conclude that the shroud of secrecy thrown over these activities has less to do with protecting us from terrorism and more to do with protecting the Administration from having its lawbreaking exposed." From rforno at infowarrior.org Sat Jun 9 13:39:54 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 09 Jun 2007 09:39:54 -0400 Subject: [Infowarrior] - Passport requirement to re-enter country temporarily suspended Message-ID: *blink*blink* -rf Passport requirement to re-enter country temporarily suspended By Michael Hampton Posted: June 9, 2007 3:31 am http://www.homelandstupidity.us/2007/06/09/passport-requirement-to-re-enter- country-temporarily-suspended/ The State and Homeland Security Departments announced Friday that the government would suspend a rule requiring Americans to have passports in order to re-enter the country from Canada, Mexico and certain Caribbean islands which went into effect earlier this year due to a months-long backlog of passport applications. ?The federal government is making this accommodation for air travel due to longer than expected processing times for passport applications in the face of record-breaking demand,? the State Department said in a news release. The regulation, which went into effect January 23, requires U.S. citizens traveling by air to show a passport or alternative proof of citizenship in order to re-enter the country from Canada, Mexico and the Caribbean, as part of the government?s Western Hemisphere Travel Initiative. In 2008, the requirement will apply to all travel, including land border crossings. Under the new, temporary procedures, which the government said would last through September 30, citizens can present a government-issued photo ID and proof of passport application when re-entering the country. Children under 16 would not need an ID, but still need proof of passport application. An unnamed government official told the New York Times that persons traveling under this procedure ?should expect . . . additional security.? With toll-free phone lines overloaded, travelers have thronged the 14 passport offices, seeking scarce appointments to plead their cases in person. The agency here, among others, has created teams to expedite cases with imminent deadlines. Some travelers said they could not apply for visas without passports. . . . Some people said they had seen scant flexibility. Tonya Elliott, of Orlando, Fla., said when she and her twin, Seana Mincy, tried to apply for a passport in April for Ms. Mincy?s 3-year-old, Brendan, for a trip to Canada on June 19, a federal court clerk told them that they would not have it in time and to wait until June 5 to call for an appointment. They could not get through on the phone, Ms. Elliott said, and drove four hours on Thursday to the Miami agency, where, after a day in line, they were offered an appointment after their scheduled departure. When they protested, she said, they were threatened with arrest, adding, ?We were treated horribly.? ? New York Times Sounds like good government to me. Make people wait in line, give them no service, and threaten them if they don?t like it. The backlog has caused up to three-month delays in issuing passports and ruined or delayed the travel plans of thousands. Lawmakers besieged with constituent complaints have demanded relief. Rep. Thomas M. Reynolds (R-N.Y.), whose district lies near the Canadian border, said White House officials have been on Capitol Hill trying to work out a compromise amid what he called a turf war between State and Homeland Security. ? Associated Press In related news, Sen. Susan Collins (R-Maine) has introduced legislation which would delay the requirement for citizens to present a passport or other secure biometric document until the Department of Homeland Security completes and evaluates the results of a pilot program with Washington State testing biometric driver licenses as border-crossing documents. This is what ?homeland security? means in Washington, D.C. It means you are going to be identified, numbered, and tracked. When the government screws up, which it almost always will, you will be punished for it. And for all this trouble, you?ll be no safer at all. From rforno at infowarrior.org Sat Jun 9 13:40:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 09 Jun 2007 09:40:59 -0400 Subject: [Infowarrior] - TorrentSpy ordered to start tracking visitors Message-ID: TorrentSpy ordered to start tracking visitors By Greg Sandoval http://news.com.com/TorrentSpy+ordered+to+start+tracking+visitors/2100-1030_ 3-6189866.html Story last modified Fri Jun 08 19:41:10 PDT 2007 A court decision reached last month but under seal until Friday could force Web sites to track visitors if the sites become defendants in a lawsuit. TorrentSpy, a popular BitTorrent search engine, was ordered on May 29 by a federal judge in the Central District of California in Los Angeles to create logs detailing users' activities on the site. The judge, Jacqueline Chooljian, however, granted a stay of the order on Friday to allow TorrentSpy to file an appeal. The appeal must be filed by June 12, according to Ira Rothken, TorrentSpy's attorney. TorrentSpy has promised in its privacy policy never to track visitors without their consent. "It is likely that TorrentSpy would turn off access to the U.S. before tracking its users," Rothken said. "If this order were allowed to stand, it would mean that Web sites can be required by discovery judges to track what their users do even if their privacy policy says otherwise." The Motion Picture Association of America, which represents Columbia Pictures and other top Hollywood film studios, sued TorrentSpy and a host of others in February 2006 as part of a sweep against file-sharing companies. According to the MPAA, the search engine was sued for allegedly making it easier to download pirated files. Representatives of the trade group could not be reached for comment. The court's decision could have a chilling effect on e-commerce and digital entertainment sites, said Fred von Lohmann, an attorney with the Electronic Frontier Foundation. He calls the ruling "unprecedented." Now on News.com It's not TV--or HBO. It's the Internet Photos: The greatest arcade games of the '80s Week in review: Cell phone hang-up Extra: A dogged Web mag pioneer EFF, which advocates for the public in digital rights' cases, is still reviewing the court's decision, but von Lohmann calls what he's seen so far a "troubling court order." This is believed to be the first time a judge has ordered a defendant to log visitor activity and then hand over the information to the plaintiff. "In general, a defendant is not required to create new records to hand over in discovery," von Lohmann said. "We shouldn't let Web site logging policies be set by litigation." Many Web companies keep visitor logs, which can include Internet Protocol addresses, as well as other information. Some choose not to record this data, including EFF, von Lohmann said. Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Sun Jun 10 20:23:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Jun 2007 16:23:51 -0400 Subject: [Infowarrior] - America's Secret Obsession Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2007/06/08/AR2007060802 496_pf.html America's Secret Obsession By Ted Gup Sunday, June 10, 2007; B01 "If you guard your toothbrushes and diamonds with equal zeal, you'll probably lose fewer toothbrushes and more diamonds." -- Former national security adviser McGeorge Bundy * * * In April 1971, CIA officer John Seabury Thomson paddled his aluminum canoe across the Potomac on his daily commute from his home in Maryland to CIA headquarters in Langley. When he reached the Virginia shore, he noticed a milky substance clouding the waters around Pulp Run. A fierce environmentalist, Thomson traced the pollution to its source: his employer. The murky white discharge was a chemical mash, the residue of thousands of liquefied secrets that the agency had been quietly disposing of in his beloved river. He single-handedly brought the practice to a halt. Nearly four decades later, though, that trickle of secrets would be a tsunami that would capsize Thomson's small craft. Today the nation's obsession with secrecy is redefining public and private institutions and taking a toll on the lives of ordinary citizens. Excessive secrecy is at the root of multiple scandals -- the phantom weapons of mass destruction, the collapse of Enron, the tragedies traced to Firestone tires and the arthritis drug Vioxx, and more. In this self-proclaimed "Information Age," our country is on the brink of becoming a secretocracy, a place where the right to know is being replaced by the need to know. For the past six years, I've been exploring the resurgent culture of secrecy. What I've found is a confluence of causes behind it, among them the chill wrought by 9/11, industry deregulation, the long dominance of a single political party, fear of litigation and liability and the threat of the Internet. But perhaps most alarming to me was the public's increasing tolerance of secrecy. Without timely information, citizens are reduced to mere residents, and representative government atrophies into a representational image of democracy as illusory as a hologram. * * * The explosion in government secrecy since 9/11 has been breathtaking. In 1995, according to the Information Security Oversight Office, the stamp of classification -- "confidential," "secret," "top secret," etc. -- was wielded about 3.6 million times, mostly to veil existing secrets in new documents. Ten years later, it was used a staggering 14.2 million times (though some of the bump-up was the result of increased use of the Internet for government communications). That works out to 1,600 classification decisions every hour, night and day, all year long. (And not one of those secrets is believed to reveal where Osama bin Laden is.) Managing this behemoth has required a vast expansion in the ranks of those cleared to deal in secrets. By 2004, the line of 340,000 people waiting to receive a security clearance would have stretched 100 miles -- from Washington to Richmond. Many must still wait a year or more. And the cost of securing those secrets -- as much as $7.7 billion in safes, background checks, training and information security -- is about equal to the entire budget for the Environmental Protection Agency. But the notion that information is more credible because it's secret is increasingly unfounded. In fact, secret information is often more suspect because it hasn't been subjected to open debate. Those with their own agendas can game the system, over-classifying or stove-piping self-serving intelligence to shield it from scrutiny. Those who cherry-picked intelligence in the run-up to the Iraq war could ignore anything that contradicted it. Even now, some members of Congress tell me that they avoid reading classified reports for fear that if they do, the edicts of secrecy will bar them from discussing vital public issues. Real secrets -- blueprints for nuclear weapons, specific troop movements, the identities of covert operatives in the field -- deserve to be safeguarded. But when secrecy is abused, the result is a dangerous disdain that leads to officials exploiting secrecy for short-term advantage (think of the Valerie Plame affair or the White House leaking selected portions of National Intelligence Estimates to bolster flagging support for the Iraq war). Then disregard for the real need for secrecy spreads to the public. WhosaRat.com reveals the names of government witnesses in criminal cases. Other Web sites seek to out covert operatives or to post sensitive security documents online. * * * The abuse of secrecy is emboldened by technology, which hands those who would stymie transparency a powerful new tool. Federal courts have adopted an electronic management system that is the gateway to about 26 million cases. The hope was that the system would augment the already formidable measures taken to conceal the results of sealed cases and to dissuade the curious, including journalists, from prying into them. So the system was given a default setting that responds "Case Does Not Exist" whenever anyone inquires about sealed cases. Among the cases whose existence the system would deny are many in which leading U.S. corporations -- including Ford, General Motors, America Online, Sprint, McDonnell Douglas, Goodyear and Sunbeam -- are defendants. In my research, I learned of a case involving a child named Destiny who had allegedly been injured by a product manufactured by Graco, a prominent maker of children's furnishings and equipment. The case was settled in 2001. Attorneys for both sides declined to discuss it and said they had not alerted the government to any alleged risk posed by the product. There was no finding of liability and today, the product still can't be identified. In March 2005, Graco agreed to pay the Consumer Product Safety Commission a record $4 million after the government accused it of not reporting defects promptly. About 12 million Graco products had been recalled over a decade, some implicated in the deaths of six children and injuries to 900 others. Destiny was not counted among them. In response to my inquiry, the federal judge in the case invited me to petition the court to have the case unsealed. But first, I was told, I would have to sign a promise not to reveal what I learned. I declined. Courts that once served as an effective early warning system for public dangers now collude in suppressing them. Other sealed cases involve racial, sex and age discrimination; antitrust issues; fair labor practices; and racketeering -- all litigation in which the public has a profound interest. Sealed court cases aren't the only way that excessive secrecy puts the public at risk. Fourteen states have signed secrecy agreements with the Agriculture Department under which they will be notified about contaminated foods but agree not to ask about the source of those foods or the markets and restaurants that carry them. A federal database set up to warn people about dangerous doctors is inaccessible to the general public and available only to those in the health-care field. A government-run database designed to give the public early warnings about unsafe vehicles and tires does not reveal certain negative findings out of concern that they may "cause substantial competitive harm" to the manufacturers. That same excessive secrecy is reflected in the states. Sensitive to issues of privacy, Ohio refuses to release the names of more than 33,000 drivers who have been convicted of driving drunk five or more times. Last year, two Ohio college students were killed by a driver on his way to his 12th drunk-driving conviction. The casualties of such secrecy play out in state after state. * * * Not even the past is safe from the clutches of excessive secrecy. In the manuscript reading room at the Library of Congress, a public archive holding the papers of many eminent Americans, I asked for a list of everything I'm not allowed to see because of "national security." Some of what's on the list is ludicrous: 1953 correspondence of then-ambassador to Italy Clare Booth Luce, stamped "Top Secret;" economist Gerhard Colm's 1946-48 papers on German currency reform; a general's diary from June 1944. But other items raise more disturbing questions. Among them are materials, still considered classified even though they may have been used in front-page stories or in bestselling books, donated by leading journalists and authors, including four Pulitzer Prize-winning reporters: former New York Times writers Hedrick Smith, Neil Sheehan and William Safire, and former Washington Post investigative reporter George Lardner. Today, no member of the public -- not even the authors who donated them -- has access to those papers unless the government formally declassifies them. Each year, the State Department prepares several volumes of official diplomatic history known as the Foreign Relations of the United States. For years, the CIA, saying it must protect its "sources and methods," has withheld or selectively shared its records with the authors of the series, sometimes holding up volumes for years and leaving glaring omissions in others. A few years ago, the State Department and the CIA entered into a memorandum of understanding on the FRUS series. The department denied my repeated requests for a copy of that agreement, which is not classified but is, like a growing number of government documents, considered to be for "official use only." Not even members of the State Department's Advisory Committee on Historical Diplomatic Documentation were allowed to see it. Department historian Marc Susser told me that the agreement permits the CIA to read not only those portions of the draft histories related to agency activities but the entire volume in advance and gives the agency a voice in when the histories are published, lest they come out at a time of heightened sensitivity. Beyond that, he would say little about the agreement -- not because it holds critical secrets, but because the State Department wants to stay in the CIA's good graces. * * * Even before 9/11, the nation was expending enormous energy sifting through historical records that had been public for 25 years or more, searching for anything that might aid terrorists. At the National Archives, an Energy Department employee, relying on a list of key or "dirty" words, spent month after month going through hundreds of thousands of dusty records for anything that might be used against the nation and therefore require reclassification. He and a cadre of security specialists were focused on the nuclear threat. On Sept. 10, 2001, he found himself perusing a box of decades-old files in which he found records chronicling the story of a B-25 bomber that flew into the Empire State Building in a thick fog on July 28, 1945, killing 14 people and traumatizing the city of New York. But neither "airplane" nor "skyscraper" appeared on his word list, and he had the records returned to the open shelves. The next day he realized that he had been staring into the face of the real peril. It was a humbling lesson in the limits of secrecy -- and a stark reminder that what we have to fear is not information but a lack of imagination. tedgup at att.net Ted Gup is a journalism professor at Case Western Reserve University and author of "Nation of Secrets: The Threat to Democracy and the American Way of Life." From rforno at infowarrior.org Mon Jun 11 12:20:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Jun 2007 08:20:28 -0400 Subject: [Infowarrior] - MPAA accuses TorrentSpy of concealing evidence Message-ID: MPAA accuses TorrentSpy of concealing evidence Posted by Greg Sandoval http://news.com.com/8301-10784_3-9727965-7.html?part=rss&subj=news&tag=2547- 1_3-0-20 The movie studios may have discovered a new and powerful weapon in its war on copyright infringement. The courts have for the first time found that the electronic trail briefly left in a computer server's Random Access Memory (RAM) by each visitor to a site is "stored information," and must be turned over as evidence during litigation, according to documents obtained by CNET News.com. Jacqueline Chooljian, a judge in the Central District of California in Los Angeles, issued the decision while presiding over a court fight between the studios and TorrentSpy, the BitTorrent search engine accused of copyright infringement in a lawsuit filed last year by the film industry. On May 29, Chooljian ordered TorrentSpy to begin logging user activity, including IP addresses, and turn the data over to the Motion Picture Assoc. of America (MPAA). The judge stayed the order on Friday to allow TorrentSpy time to prepare an appeal, which must be filed by Tuesday. She also allowed TorrentSpy to mask the Internet Protocol addresses of the site's users "at least at this juncture." This may be the first time that anyone has argued that information within RAM is electronically stored information and therefore subject to the rules of evidence, Chooljian said according to court records. Up to now, many Web sites that promised users anonymity, such as TorrentSpy, believed they need only to switch off their servers' logging function to avoid storing user data. Should Chooljian's order stand, the decision could force Web sites to rethink privacy precautions. The Electronic Frontier Foundation called the judge's decision "troubling" and said it could mean that any Web site operator could be compelled to log user activity anytime they faced a lawsuit. TorrentSpy's privacy policy pledges not to collect any personal information about users except when they "specifically and knowingly provide such information." But user data were stored at TorrentSpy, according to Chooljian. The judge said in court documents that this information survived on TorrentSpy's server RAM for about six hours. RAM is defined by Chooljian as "a chip where "volatile internal memory is stored." The judge agreed with the MPAA that the existence of user data in RAM enabled TorrentSpy to retrieve user information. She also wrote that the data was crucial for getting at the truth in the case, according to records. "There can be no serious dispute that the Server Log Data in issue is extremely relevant," the judge said in her finding. In one of the most hotly contested disputes so far in the case, the records show that the MPAA accused TorrentSpy of trying to conceal evidence when the search engine began directing visitors to the servers of an outside vendor at about the same time the MPAA filed suit in February 2006. The MPAA claimed that TorrentSpy did this to avoid being in possession of user information as the search engine anticipated receiving a court order, according to records. TorrentSpy denied the accusations and said that the outside vendor was chosen for "significantly faster processing and delivery." Among the arguments TorrentSpy made against turning over logs was that the law only required the production of documents already in possession. It did not ask for the creation of new records. That's exactly what the judge was asking the company to do, TorrentSpy's attorneys asserted in court records. Chooljian disagreed. "Since the information is already in the RAM, then defendants aren't really being asked to create new information," Chooljian wrote. She also noted that it was not her goal to set a far-reaching precedent with her decision. "The court emphasizes that its ruling," Chooljian said in the documents, "should not be read to require litigants in all cases to preserve and produce electronically stored information that is temporarily stored only in RAM." TorrentSpy's other arguments against tracking users were that the costs were too high, the action would violate user's privacy and hinder free speech. All were rejected. In response to TorrentSpy's free-speech argument, the judge cited other cases that had established illegal file sharing "qualifies for minimal First Amendment protection." Should TorrentSpy lose an appeal, the company would likely have seven days to produce data logs, according to the court records. The company's attorney, Ira Rothken, said Friday that it is unlikely TorrentSpy would continue operations in the United States if forced to turn over user data. From rforno at infowarrior.org Mon Jun 11 13:29:46 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Jun 2007 09:29:46 -0400 Subject: [Infowarrior] - Pentagon Confirms It Sought To Build A 'Gay Bomb' Message-ID: CBS5.com June 8, 2007 Pentagon Confirms It Sought To Build A 'Gay Bomb' Hank Plante Reporting (CBS 5) BERKELEY A Berkeley watchdog organization that tracks military spending said it uncovered a strange U.S. military proposal to create a hormone bomb that could purportedly turn enemy soldiers into homosexuals and make them more interested in sex than fighting. Pentagon officials on Friday confirmed to CBS 5 that military leaders had considered, and then subsquently rejected, building the so-called "Gay Bomb." Edward Hammond, of Berkeley's Sunshine Project, had used the Freedom of Information Act to obtain a copy of the proposal from the Air Force's Wright Laboratory in Dayton, Ohio. As part of a military effort to develop non-lethal weapons, the proposal suggested, "One distasteful but completely non-lethal example would be strong aphrodisiacs, especially if the chemical also caused homosexual behavior." The documents show the Air Force lab asked for $7.5 million to develop such a chemical weapon. < - > http://cbs5.com/topstories/local_story_159222541.html From rforno at infowarrior.org Mon Jun 11 18:52:58 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Jun 2007 14:52:58 -0400 Subject: [Infowarrior] - Federal Court Rules in Favor of 'Enemy Combatant' Message-ID: Federal Court Rules in Favor of 'Enemy Combatant' By Carol D. Leonnig Washington Post Staff Writer Monday, June 11, 2007; 1:58 PM http://www.washingtonpost.com/wp-dyn/content/article/2007/06/11/AR2007061101 135.html?hpid=topnews A federal appeals court today ruled that the U.S. government cannot indefinitely imprison a U.S. resident on suspicion alone, and ordered the military to either charge Ali Saleh Kahlah al-Marri with his alleged terrorist crimes in a civilian court or release him. The opinion is a major blow to the Bush administration's assertion that as the president seeks to combat terrorism, he has exceptionally broad powers to detain without charges both foreign citizens abroad and those living legally in the United States. The government is expected to appeal the 2-1 decision handed down by a three-judge panel of the conservative U.S. Court of Appeals for the Fourth Circuit, which is in Richmond, Va. The decision is a victory for civil libertarians and Marri, a citizen of Qatar who was a legal resident of the United States and studying in Peoria, Ill., when he was arrested in December 2001 as a "material witness." He was detained initially in civil prisons, then transferred to a naval brig in Charleston, S.C. , where he has been confined for the past five years. The government argued that Marri, who had met with al-Qaeda leader Osama bin Laden, was sent to the United States for a second wave of terrorist attacks. The appeals panel said President Bush overstretched his authority by declaring Marri an "enemy combatant," because the Constitution protects both U.S. citizens and legal residents such as Marri from an unchecked military and from being detained without charges and a fair trial. The court rejected the administration's claim that it was not relevant that Marri was arrested in the United States and was living here legally on a student visa. "The President cannot eliminate constitutional protections with the stroke of a pen by proclaiming a civilian, even a criminal civilian, an enemy combatant subject to indefinite military detention," the judge continued. "Put simply, the Constitution does not allow the President to order the military to seize civilians residing within the United States and detain them indefinitely without criminal process, and this is so even if he calls them 'enemy combatants.' " Marri is the last of three U.S. residents who had been imprisoned at the Charleston brig. Two others have since left the brig. Yaser Esam Hamdi -- a U.S. citizen captured on the battlefield in Afghanistan -- was held for almost three years by the military without charges. He was released and sent to his native Saudi Arabia after the Supreme Court ruled in 2004 that U.S. citizens must be provided with a trial by an impartial court. Jose Padilla, originally accused by the government of being a "dirty bomber," had also been held in the brig. But the government, just before an impending Supreme Court hearing on the case, chose to file much less substantial criminal charges against Padilla in November 2005 and transferred him to a civilian prison in Miami in January 2006. "This is an important victory for the rights of all individuals in this country to be free from unchecked executive detention power," said Jonathan Hafetz, al-Marri's lawyer at the Brennan Center for Justice. "If the government seeks to detain someone, it has the burden of producing its evidence in a court of law." Judge Henry Hudson, who dissented from the panel, said he agreed there was little precedent but said Bush did have the power to determine that al-Marri was an enemy combatant under Congress's Authorization to Use Military Force. "Although al-Marri was not personally engaged in armed conflict with U.S. forces, he is the type of stealth warrior used by al Qaeda to perpetrate terrorist acts against the United states," Hudson wrote. "There is little doubt" that al-Marri was in the country to aid in hostile attacks on the United States. Marri's brother, Jarallah al-Marri was captured in January 2002 and transported to military detention at United States Guantanamo Bay Naval Base in Cuba. From rforno at infowarrior.org Tue Jun 12 12:49:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Jun 2007 08:49:13 -0400 Subject: [Infowarrior] - RIAA Anti-Piracy Seizure Information Message-ID: RIAA Anti-Piracy Seizure Information April 2006 http://www.grayzone.com/april2006busts.htm From rforno at infowarrior.org Tue Jun 12 12:55:11 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Jun 2007 08:55:11 -0400 Subject: [Infowarrior] - Crypto: Watermarking beer DNA Message-ID: Boffins put encrypted bio-copyright watermarks in beer DNA No knocking off Blade Runner pleasure replicants By Lewis Page ? More by this author Published Tuesday 12th June 2007 11:59 GMT http://www.theregister.co.uk/2007/06/12/dna_crypto_watermarked_replicants_n_ beer/ German boffins believe they have developed a computer algorithm which can be used to hide encrypted "watermarks" within the DNA of living genetically-modified organisms. The procedure has been successful in simulated tests on live beer ingredients. Dominik Heider and Angelika Barnekow of the Department of Experimental Tumorbiology at the University of Muenster explain their techniques in an academic paper released last month. The two boffins' research is aimed at "the application of watermarks based on DNA sequences to identify the unauthorised use of genetically modified organisms (GMOs) protected by patents". The idea is that a patented GM organism - such as a crop, a drug or perhaps in future a Blade Runner-style engineered human replicant - might be pirated by unscrupulous rival manufacturers, who could then produce ripoff copies without doing any development work. Not if Heider and Barnekow have anything to do with it, though. Dodgy supermarket-carpark pleasure clones or whatnot would be easily identified as branded product using the DNA watermark, hidden among the information in their cells just as a microdot holding a hidden page of text can masquerade as a full stop on a sheet of paper. Of course, without encryption, the ripped bio-products could be easily given fake branding in the same fashion as a knockoff Rolex. The German boffins' bio-stegano-cryptograms, however, take that into account. Rather than an obvious image or text, the hidden DNA info would be encrypted. Their computer program, DNA-Crypt, can be combined with binary encryption algorithms like AES, RSA or Blowfish, or can be used with one-time pads. Apparently that's fairly yawn-worthy in the world of biosteganocrypto-boffinry - Heider and Barnekow cite several previous researchers who've hidden encrypted messages in DNA. The Germans' special sauce is that their DNA-Crypt program can deal with the occurrence of mutations, in which the DNA of the organism in question changes unpredictably as it reproduces. "Mutations do not occur very often, approximately 10?10 to 10?15 per cell division, but they can destroy the encrypted information in DNA sequences," according to the Muenster scientists. If a cop or future Replicant-Industry-Association-of-America (RIAA) enforcer checked a mutated sample, the watermark could be reduced to hash and the bio-ripper might get off scot-free. But the biocopyright-loving boffins reckon they've dealt with this, using "the 8/4 Hamming-code and ... the WDH-code," which are methods of writing to DNA which can provide "not only ... error detection but error corrections which enable us to maintain the data." These methods use up more space than ordinary DNA fiddling, so the DNA-Crypt platform uses an "integrated fuzzy controller" which "decides and recommends whether to use the 8/4 Hamming-code, the WDH-code or no mutation correction for optimal performance." We were especially pleased to hear that it "uses the Singleton-fuzzyfication," which ought to be a great marketing tool if nothing else. ("Nexus 6 pleasure models, verified genuine by DNA-Crypt?:now with Singleton fuzzyfication for optimal performance.") Heider and Barnekow have done successful tests of their procedure on Saccharomyces cerevisiae, better known (and loved for its beautiful effects) as brewer's yeast. Less importantly, it's also used to make bread. However, the watermarked brewing yeast trials were only in silico - in computer simulations. No real-world biowatermarked yeast, let alone beer or pleasure/warrior replicants, has yet been produced. For those interested, the DNA-Crypt code is Java-based (5.0 and higher) and cross-platform: Mac or Linux-using replicant designers can get in on the biowatermarking action. A preliminary pdf of the research paper is here, and the project homepage - which will apparently offer DNA-Crypt for download in future - is here.? From rforno at infowarrior.org Tue Jun 12 17:38:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Jun 2007 13:38:32 -0400 Subject: [Infowarrior] - States rebel against Real ID Act In-Reply-To: Message-ID: States rebel against Real ID Act Posted on June 11, 2007 in your rights, privacy and security, laws, bills, and policy by bean http://www.lawbean.com/2007/06/11/states-rebel-against-real-id-act/ Four states have passed laws that reject federal rules regarding a national identification system. This casts serious doubt on the future of the 2005 Real ID Act that goes into effect in December 2009. New Hampshire and Oklahoma joined Montana and Washington state in the passage of statutes that refute guidelines set forth in the Act. However, these actions could eventually lead to drivers licenses issued in these states to not be accepted as official identification when boarding airplanes or accessing federal buildings. In addition to these four states, members of the Idaho legislature intentionally left out money in the budget to comply with the Act. The Real ID Act raises serious privacy concerns, but there is disagreement about whether the Act will actually institute a national identification card system or not. The new law only sets forth national standards, but leaves the issuance of cards and the maintenance of databases in state hands. Some claim that this does not constitute a true national ID system, and may even forestall the arrival of national ID. Yet others argue that this is a trivial distinction, and that the new cards are in fact national ID cards, thanks to the uniform national standards created by the AAMVA and the linking of state databases. The actions by these states are increasingly putting pressure on Congress and the Department of Homeland Security to change or repeal the law. The Wisconsin State Journal has an incredibly good analysis of the mess. They write: States have rebelled at the $14 billion in costs the act imposes on states, as well as worries that the new security system will invade residents? privacy and create what amounts to a national ID card. On Capitol Hill, two bills would repeal the law, one co-sponsored by Senate Judiciary Committee Chairman Patrick Leahy, D-Vt. However, an amendment to the immigration bill now being debated in the U.S. Senate would ratchet up the consequences for states that fail to comply with Real ID. The Senate?s proposed immigration law would require job applicants to verify their citizenship to employers using a driver?s license that meets Real ID standards or with a passport. --------------------------- http://www.news.com/ FAQ: How Real ID will affect you By Declan McCullagh http://news.com.com/FAQ+How+Real+ID+will+affect+you/ 2100-1028_3-5697111.html Story last modified Fri May 06 14:11:38 PDT 2005 What's all the fuss with the Real ID Act about? President Bush is expected to sign an $82 billion military spending bill soon that will, in part, create electronically readable, federally approved ID cards for Americans. The House of Representatives overwhelmingly approved the package--which includes the Real ID Act--on Thursday. What does that mean for me? Starting three years from now, if you live or work in the United States, you'll need a federally approved ID card to travel on an airplane, open a bank account, collect Social Security payments, or take advantage of nearly any government service. Practically speaking, your driver's license likely will have to be reissued to meet federal standards. News.context What's new: The House of Representatives has approved an $82 billion military spending bill with an attachment that would mandate electronically readable ID cards for Americans. President Bush is expected to sign the bill. Bottom line: The Real ID Act would establish what amounts to a national identity card. State drivers' licenses and other such documents would have to meet federal ID standards established by the Department of Homeland Security. From rforno at infowarrior.org Tue Jun 12 18:56:42 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Jun 2007 14:56:42 -0400 Subject: [Infowarrior] - A political article I think we all can agree with.... Message-ID: Don't bother me with politics until next summer..........rf U.S. voters may face outbreak of "campaign fatigue" Tue Jun 12, 2007 7:49AM EDT http://www.reuters.com/article/politicsNews/idUSN1119741820070612?feedType=R SS&rpc=22 By Ellen Wulfhorst NEW YORK (Reuters) - Inundated with politics long before the 2008 presidential election, U.S. voters are in danger of suffering wearying bouts of the uniquely American affliction of "campaign fatigue" in coming months. Experts say voters who follow the news closely are most at risk of the condition striking this year earlier than ever. It takes its toll with information overload, long hitches of unpaid work for campaign volunteers and the all-important undecided voters on the fence longer than usual. Voter attention tends to wane in between the early debates, major primaries and conventions and, in a contest so long this time it includes two summer hiatuses before the November 2008 vote, fatigue is practically unavoidable, many of the experts said. "It's a reality. There's going to be a lot of fatigue, come summer," said Thomas Patterson, a professor specializing in government and the press at the John F. Kennedy School of Government at Harvard University. "People are thinking this has been going on a long time already." Eighteen months before the election, the race for the White House has a cast of 18 declared Republican and Democratic contenders, not to mention a handful of potential late entries. Even some political junkies feel tired. "I follow this stuff pretty closely and it's starting to wear me out," said Thomas Holbrook, political science professor at the University of Wisconsin. "Here we are, in June 2007, nobody's going to cast a vote for another six months, and I'm still having to check the election blogs every morning to find out what's been going on," he said. Campaign fatigue will tend to hit the type of voter who likes to pay attention early, absorb the news and follow the issues, said John Aldrich, political science professor at Duke University in Durham, North Carolina. "They're the people who are going to fade out. That kind of worries me," said Aldrich, who conceded he had not watched any of the season's half-dozen presidential debates. "It's 90 degrees (32 C) here," he said. "It's not time for campaigning." 'GO AWAY. IT'S SUMMER' He's not alone. The debates have reached fewer than 3 million people, on average, so far. That's a far cry from the 70 million viewers who watched the first-ever televised debate in 1960 between then-Sen. John Kennedy and then-Vice President Richard Nixon. Fatigue tends to hit hard on campaign volunteers, Patterson said. "It's one thing to be active when people are excited and glad to see you on the street or knocking on their door. It's another thing when they say, 'Go away. It's summer,'" he said. "I think we're going to lose some of that impulse, some of that energy. I think it's flagging already." Not all experts agree on a looming fatigue. "There are lots of viable candidates ... and there is a lot of uncertainty about who will win. This has the makings of a race that can hold voters' interest," said John Sides, political science professor at the George Washington University in Washington. Those in the thick of politics may sense a fatigue that voters may not feel, said television news veteran Sam Donaldson, who hosts a daily "Politics Live" show on an online arm of the ABC News network. "I don't think the general public is fatigued," Donaldson said. "They're concentrating on Paris Hilton." Besides, the question of fatigue gives political experts a topic of conversation on slow days, said Douglas Muzzio, Baruch College professor of public affairs at the City University of New York. "It allows us to talk about being tired of talking about it," he said. ? Reuters 2006. All rights reserved. From rforno at infowarrior.org Tue Jun 12 19:04:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Jun 2007 15:04:37 -0400 Subject: [Infowarrior] - More USPTO stupidity Message-ID: New low in patent stupidty: searching for a used car with a clean title http://www.boingboing.net/2007/06/12/new_low_in_patent_st.html The US Patent and Trademark Office has just granted a particularly ludicrous patent: Carfax now owns the idea of searching for cars that have clean titles. Somehow, this didn't qualify as "obvious." A method of searching for used vehicles comprising: * Using VIN numbers to look up the title status of a vehicle; * Storing the title status of the vehicle in a database; and * Providing a list of vehicles based on title status to users who search for them online. Could this be any more obvious? Even the patent itself admits that methods of compiling title information on used cars have been around since 1991. So what's the novel aspect of this invention? Why does stupid stuff like this matter? It matters because every click and every idea is becoming someone's property. It doesn't matter if we've been doing it forever (like querying databases!), or if it's totally obvious, someone ends up owning it. The USPTO is open for anyone who wants to claim ownership of any idea (no wonder -- their funding comes from filing fees for patents), and once those patents end up in the hands of patent trolls, it's open season on the firms and people who make great stuff. We all pay: we pay for the legal costs of fighting patent battles, built into the price of our stuff. We pay for the technologies that never come to market because of patent fears. We pay for all the ridiculous "defensive patents" filed by startups (there's no such thing as a defensive patent: having a patent doesn't mean that the USPTO won't give the same patent to someone else, and then your "defense" consists of not running out of money to fight the patent in court), which then turn into patent-troll armaments when the startups tank. Astroturfing companies run bogus sites like this one, where they argue for "patent reforms" that consist of not reforming anything. Sites like Patent Fairness are a good place to get the real story. From rforno at infowarrior.org Tue Jun 12 19:26:04 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Jun 2007 15:26:04 -0400 Subject: [Infowarrior] - Secret Surveillance Evidence Unsealed in AT&T Spying Case Message-ID: Electronic Frontier Foundation Media Release For Immediate Release: Tuesday, June 12, 2007 Contact: Cindy Cohn Legal Director Electronic Frontier Foundation cindy at eff.org +1 415 436-9333 x108 (office), +1 415 307-2148 (cell) Kurt Opsahl Senior Staff Attorney Electronic Frontier Foundation kurt at eff.org +1 415 436-9333 x106 Secret Surveillance Evidence Unsealed in AT&T Spying Case Whistleblower Declaration and Other Key Documents Released to Public San Francisco - More documents detailing secret government surveillance of AT&T's Internet traffic have been released to the public as part of the Electronic Frontier Foundation's (EFF's) class-action lawsuit against the telecom giant. Some of the unsealed information was previously made public in redacted form. But after negotiations with AT&T, EFF filed newly unredacted documents describing a secret, secure room in AT&T's facilities that gave the National Security Agency (NSA) direct access to customers' emails and other Internet communications. These include several internal AT&T documents that have long been available on media websites, EFF's legal arguments to the 9th Circuit, and the full declarations of whistleblower Mark Klein and of J. Scott Marcus, the former Senior Advisor for Internet Technology to the Federal Communications Commission, who bolsters and explains EFF's evidence. "This is critical evidence supporting our claim that AT&T is cooperating with the NSA in the illegal dragnet surveillance of millions of ordinary Americans," said EFF Legal Director Cindy Cohn. "This surveillance is under debate in Congress and across the nation, as well as in the courts. The public has a right to see these important documents, the declarations from our witnesses, and our legal arguments, and we are very pleased to release them." EFF filed the class-action suit against AT&T last year, accusing the telecom giant of illegally assisting in the NSA's spying on millions of ordinary Americans. The lower court allowed the case to proceed and the government has now asked the 9th U.S. Circuit Court of Appeals to dismiss the case, claiming that the lawsuit could expose state secrets. EFF's newly released brief in response outlines how the case should go forward respecting both liberty and security. "The District Court rejected the government's attempt to sweep this case under the rug," said EFF Senior Staff Attorney Kurt Opsahl. "This country has a long tradition of open court proceedings, and we're pleased that as we present our case to the Court of Appeals, the millions of affected AT&T customers will be able to see our arguments and evidence and judge for themselves." Oral arguments in the 9th Circuit appeal are set for the week of August 13. For the unredacted Klein declaration: http://eff.org/legal/cases/att/SER_klein_decl.pdf For the internal documents: http://eff.org/legal/cases/att/SER_klein_exhibits.pdf For the unredacted Marcus declaration: http://eff.org/legal/cases/att/SER_marcus_decl.pdf For EFF's 9th Circuit brief: http://eff.org/legal/cases/att/9thanswerbrief.pdf For more on the class-action lawsuit against AT&T: http://www.eff.org/legal/cases/att/ For this release: http://www.eff.org/news/archives/2007_06.php#005304 About EFF The Electronic Frontier Foundation is the leading civil liberties organization working to protect rights in the digital world. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression and privacy online. EFF is a member-supported organization and maintains one of the most linked-to websites in the world at http://www.eff.org/ From rforno at infowarrior.org Wed Jun 13 11:36:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Jun 2007 07:36:37 -0400 Subject: [Infowarrior] - Want Off Street View? Google Wants Your ID and a Sworn Statement Message-ID: EFF privacy advocate and unhappy Street View model Kevin Bankston made good on his vow to try out Google's take-down policy after THREAT LEVEL found a picture of his unwitting mug stalking the sidewalks near EFF's offices. What he learned: Google is happy to remove you from Street View ... provided you give them a wealth of additional information, including a photo of your driver's license. <-> http://blog.wired.com/27bstroke6/2007/06/want_off_street.html From rforno at infowarrior.org Wed Jun 13 11:43:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Jun 2007 07:43:03 -0400 Subject: [Infowarrior] - RIP, Don "Mr. Wizard" Herbert Message-ID: Don Herbert, 89; TV's 'Mr. Wizard' taught science to young baby boomers By Dennis McLellan, Times Staff Writer June 13, 2007 http://www.latimes.com/news/local/la-me-herbert13jun13,0,457794,full.story Don Herbert, who explained the wonderful world of science to millions of young baby boomers on television in the 1950s and '60s as "Mr. Wizard" and did the same for another generation of youngsters on the Nickelodeon cable TV channel in the 1980s, died Tuesday. He was 89. Herbert died at his home in Bell Canyon after a long battle with multiple myeloma, said Tom Nikosey, Herbert's son-in-law. A low-key, avuncular presence who wore a tie and white dress shirt with the sleeves rolled up, Herbert launched his weekly half-hour science show for children on NBC in 1951. Broadcast live from Chicago on Saturdays the first few years and then from New York City, "Watch Mr. Wizard" ran for 14 years. Herbert used basic experiments to teach scientific principles to his TV audience via an in-studio guest boy or girl who assisted in the experiments. "I was a grade school kid in the '50s and watched 'Mr. Wizard' Saturday mornings and was just glued to the television," said Nikosey, president of Mr. Wizard Studios, which sells Herbert's science books and TV shows on DVD. "The show just heightened my curiosity about science and the way things worked," Nikosey said. "I learned an awful lot from him, as did millions of other kids." By 1955, there were about 5,000 Mr. Wizard Science Clubs nationwide, with more than 100,000 members. And as Mr. Wizard, Herbert was a true TV star, featured in an array of magazines, including TV Guide, Life, Time, Newsweek, Science Digest, Boy's Life and even Glamour. Herbert was taken aback by the show's success. "What really did it for us was the inclusion of a child," he told the St. Louis Post-Dispatch in 2004. "When we started out, it was just me up there alone. That was too much like having a professor give a lecture. We cast a boy and girl to come in and talk with me about science. That's when it took off. "The children watching could identify with someone like them." In explaining how he brought a sense of wonder to elementary scientific experiments, Herbert told the New York Times in 2004 that he "would perform the trick, as it were, to hook the kids, and then explain the science later. "We thought we needed it to seem like magic to hook the audience, but then we realized that viewers would be engaged with just a simple scientific question, like, why do birds fly and not humans? A lot of scientists criticized us for using the words 'magic' and 'mystery' in the show's subtitle, but they came around eventually." "Watch Mr. Wizard" garnered numerous honors, including a Peabody Award, four Ohio State awards and the Thomas Alva Edison Foundation Award for "Best Science TV Program for Youth." And Herbert had a lasting effect. "Over the years, Don has been personally responsible for more people going into the sciences than any other single person in this country," George Tressel, a National Science Foundation official, said in 1989. "I fully realize the number is virtually endless when I talk to scientists," he said. "They all say that Mr. Wizard taught them to think." Herbert's experiments on the show typically used household items. As a 1951 Time magazine story noted: "Herbert's object is to show his audience what goes on in the world ? why the wind blows, what makes a cake rise, how water comes out of a kitchen tap. "To explain rain, he boils water in a coffee pot, compares the steam to clouds, and shows how 'rain' will condense on the sides of a glass held over the spout." Not every Mr. Wizard experiment went according to plan. In "Saturday Morning TV," a 1981 book by Gary H. Grossman, Herbert recalled pouring two colorless solutions into one glass and then announced that the solution would turn black before he counted to nine. "I got up to 20 and decided I'd better stop," he recalled. "I explained that apparently other factors like temperature and acidity had interfered with the experiment." But as he finished his explanation, the liquid changed color. "It was embarrassing, certainly, but I discovered the answer," he said. "We hadn't used a fresh solution, so the reaction was slower than expected." After "Watch Mr. Wizard" ended its 14-year-run in 1965, Herbert showed up frequently on talk shows, including "The Tonight Show" and "Late Night With David Letterman." "Watch Mr. Wizard" was revived in 1971 for a season, and "Mr. Wizard's World" ran on Nickelodeon from 1983 to 1990. Born July 10, 1917, in Waconia, Minn., Herbert later moved to Minneapolis and then La Crosse, Wis. He graduated from LaCrosse State Teachers College in 1940 and could have taught English or general science ? his majors ? but he recalled later that he was more interested in the theater. He worked as an actor and stagehand in a Minnesota theater group before moving to New York City in 1941. A year later, he volunteered for the Army Air Forces. As a B-24 bomber pilot, he flew 56 missions over Italy, Germany and Yugoslavia and received the Distinguished Flying Cross and the Air Medal with three oak-leaf clusters. Herbert wrote several books, including "Mr. Wizard's Supermarket Science" and "Mr. Wizard's Experiments for Young Scientists." In recent years, he helped set up his website, http://www.mrwizardstudios.com . He is survived by his wife of 34 years, Norma; his two sons and a daughter from his first marriage, Jay and Jeffrey and Jill Rogers; his stepdaughters Kendra Jeffcoat and Kris Nikosey; his stepson, Kim Kasell; and 13 grandchildren. The family plans to hold a private memorial service. dennis.mclellan at latimes.com From rforno at infowarrior.org Wed Jun 13 12:34:36 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Jun 2007 08:34:36 -0400 Subject: [Infowarrior] - DHS to Tout Still Incomplete Community Preparedness Plans Message-ID: une 12, 2007 ? 7:02 p.m. DHS to Tout Still Incomplete Community Preparedness Plans By Eileen Sullivan, CQ Staff http://public.cq.com/docs/hs/hsnews110-000002530174.html The Department of Homeland Security plans to trumpet several incomplete preparedness documents as part of its nationwide effort to promote community preparedness. Corey Gruber, acting deputy administrator for National Preparedness at the Federal Emergency Management Agency, is expected to tell House lawmakers Wednesday about the ways the department helps the public prepare for a myriad of disasters from tornadoes to terrorist attacks, according to a draft of his testimony obtained by Congressional Quarterly. Americans are not any better prepared for a natural disaster or terrorist attack than they were in 2003, according to the department?s most recent citizen preparedness research, released in fall 2006. Several of the documents and plans that Gruber is expected to tout are still in draft form or undergoing revisions. Gruber is expected to testify before the House Homeland Security Committee regarding the Interim National Preparedness Goal and its list of target capabilities, state and urban area homeland security strategies, Homeland Security Grant Program guidance, and the National Response Plan. Homeland Security Presidential Directive 8 (HSPD-8), issued on Dec. 17, 2003, called for creating a National Preparedness Goal ? a standard to which preparedness can be measured. This goal should outline preparation measures for first-responders, including training, exercising and equipment, to face a wide range of natural and man-made hazards. An Interim National Preparedness Goal was issued in March 2005. The department has yet to issue the final goal. DHS has not finalized the Target Capabilities List either. The president called for the creation of a National Response Plan in February 2003. That plan was published in January 2005, but it has been going through revisions since Hurricane Katrina, which struck the Gulf Coast later that year. A final plan was to be published this month, but the department missed the deadline. FEMA Administrator R. David Paulison told lawmakers his goal is to have the National Response Plan out by July 1, but sources familiar with the rewrite say it?s going to be later this summer. ?Here we are today amidst another hurricane season, still waiting on the Department of Homeland Security to publish guidance needed to empower community and citizen preparedness around the country,? Chairman Bennie Thompson, D-Miss., said in an e-mail to Congressional Quarterly. ?The Department often states that partnerships with states and localities are the path to preparedness, yet time and time again we see frustration filling the void where direction and strategies should have been.? FEMA spokesman Aaron Walker said the department and FEMA already have functioning plans, particularly the National Response Plan. The revisions to the plan will make it more user-friendly, he said. ?There is a misconception that FEMA doesn?t have a plan. That?s just not accurate,? Walker said. ?The plan we have works.? As for the National Preparedness Goal, DHS said the document is under final review and should be released soon. Officials from the National Council on Disability, the Texas Association of Regional Councils, the National Volunteer Fire Council and the Partnership for Disaster Response are also scheduled to testify at Wednesday?s hearing. Eileen Sullivan can be reached at esullivan at cq.com. From rforno at infowarrior.org Wed Jun 13 23:32:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Jun 2007 19:32:09 -0400 Subject: [Infowarrior] - AT&T To Police Internet For Copyright Infractions Message-ID: ...maybe this was their idea all along -- if the NSA thing got exposed, they could pimp their services to the MPAA/RIAA content cartels...... AT&T To Police Internet For Copyright Infractions By Ryan Singel EmailJune 13, 2007 | 11:25:50 AM AT&T, one of the nation's largest ISPs and internet backbone providers, is now working with Hollywood and the recording industry to create a network-based solution to police copyright infringement, according to the Los Angeles Times. < - > http://blog.wired.com/27bstroke6/2007/06/att_to_police_i.html From rforno at infowarrior.org Thu Jun 14 10:59:44 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Jun 2007 06:59:44 -0400 Subject: [Infowarrior] - FBI Finds It Frequently Overstepped in Collecting Data Message-ID: FBI Finds It Frequently Overstepped in Collecting Data By John Solomon Washington Post Staff Writer Thursday, June 14, 2007; A01 http://www.washingtonpost.com/wp-dyn/content/article/2007/06/13/AR2007061302 453_pf.html An internal FBI audit has found that the bureau potentially violated the law or agency rules more than 1,000 times while collecting data about domestic phone calls, e-mails and financial transactions in recent years, far more than was documented in a Justice Department report in March that ignited bipartisan congressional criticism. The new audit covers just 10 percent of the bureau's national security investigations since 2002, and so the mistakes in the FBI's domestic surveillance efforts probably number several thousand, bureau officials said in interviews. The earlier report found 22 violations in a much smaller sampling. The vast majority of the new violations were instances in which telephone companies and Internet providers gave agents phone and e-mail records the agents did not request and were not authorized to collect. The agents retained the information anyway in their files, which mostly concerned suspected terrorist or espionage activities. But two dozen of the newly-discovered violations involved agents' requests for information that U.S. law did not allow them to have, according to the audit results provided to The Washington Post. Only two such examples were identified earlier in the smaller sample. FBI officials said the results confirmed what agency supervisors and outside critics feared, namely that many agents did not understand or follow the required legal procedures and paperwork requirements when collecting personal information with one of the most sensitive and powerful intelligence-gathering tools of the post-Sept. 11 era -- the National Security Letter, or NSL. Such letters are uniformly secret and amount to nonnegotiable demands for personal information -- demands that are not reviewed in advance by a judge. After the 2001 terrorist attacks, Congress substantially eased the rules for issuing NSLs, requiring only that the bureau certify that the records are "sought for" or "relevant to" an investigation "to protect against international terrorism or clandestine intelligence activities." The change -- combined with national anxiety about another domestic terrorist event -- led to an explosive growth in the use of the letters. More than 19,000 such letters were issued in 2005 seeking 47,000 pieces of information, mostly from telecommunications companies. But with this growth came abuse of the newly relaxed rules, a circumstance first revealed in the Justice Department's March report by Inspector General Glenn A. Fine. "The FBI's comprehensive audit of National Security Letter use across all field offices has confirmed the inspector general's findings that we had inadequate internal controls for use of an invaluable investigative tool," FBI General Counsel Valerie E. Caproni said. "Our internal audit examined a much larger sample than the inspector general's report last March, but we found similar percentages of NSLs that had errors." "Since March," Caproni added, "remedies addressing every aspect of the problem have been implemented or are well on the way." Of the more than 1,000 violations uncovered by the new audit, about 700 involved telephone companies and other communications firms providing information that exceeded what the FBI's national security letters had sought. But rather than destroying the unsolicited data, agents in some instances issued new National Security Letters to ensure that they could keep the mistakenly provided information. Officials cited as an example the retention of an extra month's phone records, beyond the period specified by the agents. Case agents are now told that they must identify mistakenly produced information and isolate it from investigative files. "Human errors will inevitably occur with third parties, but we now have a clear plan with clear lines of responsibility to ensure errant information that is mistakenly produced will be caught as it is produced and before it is added to any FBI database," Caproni said. The FBI also found that in 14 investigations, counterintelligence agents using NSLs improperly gathered full credit reports from financial institutions, exercising authority provided by the USA Patriot Act but meant to be applied only in counterterrorism cases. In response, the bureau has distributed explicit instructions that "you can't gather full credit reports in counterintelligence cases," a senior FBI official said. In 10 additional investigations, FBI agents used NSLs to request other information that the relevant laws did not allow them to obtain. Officials said that, for example, agents might have requested header information from e-mails -- such as the subject lines -- even though NSLs are supposed to be used to gather information only about the e-mails' senders and the recipients, not about their content. The FBI audit also identified three dozen violations of rules requiring that NSLs be approved by senior officials and used only in authorized cases. In 10 instances, agents issued National Security Letters to collect personal data without tying the requests to specific, active investigations -- as the law requires -- either because, in each case, an investigative file had not been opened yet or the authorization for an investigation had expired without being renewed. FBI officials said the audit found no evidence to date that any agent knowingly or willingly violated the laws or that supervisors encouraged such violations. The Justice Department's report estimated that agents made errors about 4 percent of the time and that third parties made mistakes about 3 percent of the time, they said. The FBI's audit, they noted, found a slightly higher error rate for agents -- about 5 percent -- and a substantially higher rate of third-party errors -- about 10 percent. The officials said they are making widespread changes to ensure that the problems do not recur. Those changes include implementing a corporate-style, continuous, internal compliance program to review the bureau's policies, procedures and training, to provide regular monitoring of employees' work by supervisors in each office, and to conduct frequent audits to track compliance across the bureau. The bureau is also trying to establish for NSLs clear lines of responsibility, which were lacking in the past, officials said. Agents who open counterterrorism and counterintelligence investigations have been told that they are solely responsible for ensuring that they do not receive data they are not entitled to have. The FBI audit did not turn up new instances in which another surveillance tool known as an Exigent Circumstance Letter had been abused, officials said. In a finding that prompted particularly strong concerns on Capitol Hill, the Justice Department had said such letters -- which are similar to NSLs but are meant to be used only in security emergencies -- had been invoked hundreds of times in "non-emergency circumstances" to obtain detailed phone records, mostly without the required links to active investigations. Many of those letters were improperly dispatched by the bureau's Communications Analysis Unit, a central clearinghouse for the analysis of telephone records such as those gathered with the help of "exigent" letters and National Security Letters. Justice Department and FBI investigators are trying to determine if any FBI headquarters officials should be held accountable or punished for those abuses, and have begun advising agents of their due process rights during interviews. The FBI audit will be completed in the coming weeks, and Congress will be briefed on the results, officials said. FBI officials said each potential violation will then be extensively reviewed by lawyers to determine if it must be reported to the Intelligence Oversight Board, a presidential panel of senior intelligence officials created to safeguard civil liberties. The officials said the final tally of violations that are serious enough to be reported to the panel might be much less than the number turned up by the audit, noting that only five of the 22 potential violations identified by the Justice Department's inspector general this spring were ultimately deemed to be reportable. "We expect that percentage will hold or be similar when we get through the hundreds of potential violations identified here," said a senior FBI official, who spoke on the condition of anonymity because the bureau's findings have not yet been made public. From rforno at infowarrior.org Thu Jun 14 12:34:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Jun 2007 08:34:35 -0400 Subject: [Infowarrior] - Apple Goes on Safari With Hostile Security Researchers Message-ID: Apple Goes on Safari With Hostile Security Researchers Ryan Singel Email 06.14.07 | 2:00 AM http://www.wired.com/gadgets/mac/news/2007/06/researchersmeetsafari Security researchers have long speculated that Apple has benefited from security by obscurity, escaping attention from malicious hackers because Windows-based computers dominate in homes and offices. But Apple's new Safari for Windows puts it right in hackers' crosshairs. The browser gives hackers another way to attack Windows and security researchers will now likely spend hours hunting down holes in the code. But Apple's culture of secrecy and slick marketing has put it at odds with a community that values openness and honesty -- a lot of computer security experts aren?t very fond of the computer maker. Indeed some in the security community think Apple's stance towards security is as bad as Microsoft's was in the days when it was called the "Evil Empire," prior to Bill Gates's declaration in 2002 that security was the company's top priority. When asked over the phone if Apple treated security researchers well, Black Hat founder Jeff Moss relayed the question to researchers at the Computer Security Institute conference. Howls of derisive laughter came pouring through his cell phone. "They are vulnerable like anyone else, but they are still controlled by marketing campaigns," said Moss. "Their approach will change -- but when will it change?" Apple has a mixed reputation in the security community. It's been criticized for how it handles reports of vulnerabilities, how it reports the severity of bugs in automatic security updates and how long it takes to patch flaws. In addition, Moss said Apple has a reputation of not crediting researchers who find bugs. Security researchers generally adhere to a policy of reporting bugs quietly to software vendors ahead of time in return for public credit when a fix is shipped. However, Apple has been accused of fixing bugs silently, or fixing a security bug and reclassifying it as a "usability bug" rather than crediting researchers. By releasing a beta version of Safari to the public, Apple expects to get feedback on bugs and vulnerabilities, but some researchers are loath to provide it unless they get proper credit. Security researcher David Maynor said he found six Safari bugs in one day using commonly available tools that Apple engineers should have used themselves. "Apple is using the research community as their (quality assurance) department, which makes me not want to report bugs," he said. "If they aren't going to run these tools, why should I run them and report them?" While Maynor says he follows this policy for companies like Microsoft, he refuses to report bugs to Apple following a vitriolic contretemps last summer involving a wireless-driver bug. Maynor contends Apple attacked his credibility, while Maynor?s detractors say he overstated the severity of the exploit. One of the bugs is a remote exploit that works on the beta browser and the current production version of Safari for Mac OS X, according to Maynor. Maynor says he plans to hold onto the exploit until he can buy an iPhone and break into it. Maynor is not alone in probing the new browser. Just one day after Apple released the Safari beta, security researchers published detailed accounts of critical vulnerabilities in the browser, ranging from attacks that simply crashed the browser, to one that allowed a website to run commands on the computer of a visitor running Safari. But animus towards Apple is not universal in the security community. Dino Dai Zovi, a security researcher who recently won $10,000 by taking over a Mac remotely, says he's reported nine vulnerabilities to Apple and found them to be as responsive as most in the industry. Apple tends to be slow issuing patches, according to Dai Zovi, but can be quick when there's a lot of public scrutiny, such as with his QuickTime/Java exploit, which it fixed in a "groundbreaking" eight days. But Dai Zovi said Apple may be about to enter much hotter water, thanks to its new Windows browser, the hot new iPhone and increased Mac market share. "They are going to have to deal with a lot more vulnerability reports," Dai Zovi said. "Just like Microsoft, once the public perception of security impacts sales, Apple will most likely step it up." David Goldsmith, the president Matasano Security, echoed Dai Zovi's take on Apple's handling of reports, saying he's never had a problem with Apple not crediting him for a bug, but that in the past Apple had a habit of underplaying the severity of the bug. Goldsmith said Apple might have to fix bugs faster because more people will be watching what the company does. "Apple has a reputation of being more secure and one of the theories is that it is because less people are looking at it (for vulnerabilities)," Goldsmith said. "(The Windows Safari browser) may prove to be a way of validating that claim. It is safe to say they are going to change the way they react to these communications just because they will have more exposure to them." Apple was not immediately available for detailed comment, but a spokesperson pointed out that the Safari browser relies on an open-source browser engine that has been well tested and used by companies like Nokia. From rforno at infowarrior.org Thu Jun 14 12:06:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Jun 2007 08:06:03 -0400 Subject: [Infowarrior] - Tiger Woods on NBC*....? Message-ID: Good morning, all..... Somebody care to tell me why NBC is showing Tiger Woods' tee-off at the US Open simultaneously on ALL their cable/broadcast channels? They STOPPED coverage on MSNBC and CNBC (news channels) to break away to a routine event at an annual sporting event --- one that they're also broadcasting on NBC, SciFi, Bravo, etc, etc, etc. Why the devil is this so all-fired important to warrant such channel distribution? And why the devil is this simple act of teeing-off pre-empting two major news networks? Who is NBC trying to impress? NBC Universal, forget Tiger Woods.....you have teed ME off today. -rick Infowarrior.org From rforno at infowarrior.org Thu Jun 14 16:35:40 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Jun 2007 12:35:40 -0400 Subject: [Infowarrior] - FBI Terror Watch List 'Out of Control' Message-ID: FBI Terror Watch List 'Out of Control' June 13, 2007 8:55 AM Justin Rood Reports: http://blogs.abcnews.com/theblotter/2007/06/fbi_terror_watc.html A terrorist watch list compiled by the FBI has apparently swelled to include more than half a million names. Privacy and civil liberties advocates say the list is growing uncontrollably, threatening its usefulness in the war on terror. The bureau says the number of names on its terrorist watch list is classified. A portion of the FBI's unclassified 2008 budget request posted to the Department of Justice Web site, however, refers to "the entire watch list of 509,000 names," which is utilized by its Foreign Terrorist Tracking Task Force. A spokesman for the interagency National Counterterrorism Center (NCTC), which maintains the government's list of all suspected terrorists with links to international organizations, said they had 465,000 names covering 350,000 individuals. Many names are different versions of the same identity -- "Usama bin Laden" and "Osama bin Laden" for the al Qaeda chief, for example. In addition to the NCTC list, the FBI keeps a list of U.S. persons who are believed to be domestic terrorists -- abortion clinic bombers, for example, or firebombing environmental extremists, who have no known tie to an international terrorist group. Combined, the NCTC and FBI compendia comprise the watch list used by federal security screening personnel on the lookout for terrorists. While the NCTC has made no secret of its terrorist tally, the FBI has consistently declined to tell the public how many names are on its list. Because the number is classified, an FBI spokesman told the Blotter on ABCNews.com, he was unable to comment for this story. "It grows seemingly without control or limitation," said ACLU senior legislative counsel Tim Sparapani of the terrorism watch list. Sparapani called the 509,000 figure "stunning." "If we have 509,000 names on that list, the watch list is virtually useless," he told ABC News. "You'll be capturing innocent individuals with no connection to crime or terror." U.S. lawmakers and their spouses have been detained because their names were on the watch list. Reporters who have reviewed versions of the list found it included the names of former Iraqi dictator Saddam Hussein, at the time he was alive but in custody in Iraq; imprisoned al Qaeda plotter Zacarias Moussaoui; and 14 of the 19 Sept. 11, 2001 hijackers, all of whom perished in the attacks. "There's a reason the FBI has a '10 Most Wanted' list, right? We need to focus the government's efforts on the greatest threats. When the watch list grows to this level, it's useless as an anti-terror tool," Sparapani said. From rforno at infowarrior.org Thu Jun 14 19:53:30 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Jun 2007 15:53:30 -0400 Subject: [Infowarrior] - TSA and Sippy-Cups at DCA (more TSA follies) Message-ID: *speechless* Nightmare at Reagan National Airport: A Security Story to End all Security Stories by Bill Adler | June 13, 2007 at 05:30 pm | 1831 views | 12 comments Good Stuff http://www.nowpublic.com/nightmare_at_reagan_national_airport_a_security_sto ry_to_end_all_security_stories Bill Adler by Bill Adler 3 hrs ago | 79 views If you travel enough, you've seen it all -- and possibly some of the awful things that can happen while traveling will have actually happened to you. But nothing I've read about or experienced comes close to what Monica Emmerson experienced while at Reagan National Airport on June 11th while traveling with her 19-month-old toddler. This isn't one of those Catch-22 bureaucratic snafus; this isn't about rules being applied to the letter. This story is mostly about what can happen simply because the authorities in charge decide that they're going to exercise their authority because they can, regardless of whether it's legal or right or makes any sense at all. The incident started when Monica was stopped while going through airport security because there was water in her son's sippy cup. The sippy cup was seized by TSA. Monica wanted the cup back because the sippy cup was the only way her son would drink -- and it was a long flight between Washington, DC and Reno, Nevada where she was going for a family reunion. If you've ever had a toddler you understand about sippy cups. So she was willing to spill the water out. Drink the water. Anything -- all that she wanted was to be able to have a cup that her 19-month-old toddler could drink from. Here's what happened in Monica's words: "I demanded to speak to a TSA [Transportation Security Administration] supervisor who asked me if the water in the sippy cup was 'nursery water or other bottled water.' I explained that the sippy cup water was filtered tap water. The sippy cup was seized as my son was pointing and crying for his cup. I asked if I could drink the water to get the cup back, and was advised that I would have to leave security and come back through with an empty cup in order to retain the cup. As I was escorted out of security by TSA and a police officer, I unscrewed the cup to drink the water, which accidentally spilled because I was so upset with the situation. "At this point, I was detained against my will by the police officer and threatened to be arrested for endangering other passengers with the spilled 3 to 4 ounces of water. I was ordered to clean the water, so I got on my hands and knees while my son sat in his stroller with no shoes on since they were also screened and I had no time to put them back on his feet. I asked to call back my fianc?, who I could still see from afar, waiting for us to clear security, to watch my son while I was being detained, and the officer threatened to arrest me if I moved. So I yelled past security to get the attention of my fianc?. "I was ordered to apologize for the spilled water, and again threatened arrest. I was threatened several times with arrest while detained, and while three other police officers were called to the scene of the mother with the 19 month old. A total of four police officers and three TSA officers reported to the scene where I was being held against my will. I was also told that I should not disrespect the officer and could be arrested for this too. I apologized to the officer and she continued to detain me despite me telling her that I would miss my flight. The officer advised me that I should have thought about this before I 'intentionally spilled the water!'" Monica said that the incident ended this way: "I missed my flight, needless to say after being detained for over 40 minutes. After the officer was done humiliating me, I was advised that I could go through the security check point in an attempt to catch my flight. The officer insisted that my son and I be rescreened despite us both being detained and under her control the entire time." During the weeks and months after 9/11 some passengers who were caught with unidentified fluids while going through airport security were told to drink the liquid (including breast milk) to prove that it wasn't an explosive. In one incident, a fourteen year old boy was ordered to drink water that he was carrying, and it turned out that this was unclean pond water he was carrying for a science project. Monica was more than happy to drink her child's tap water --all three or four ounces of it-- and tried, in fact. But it was the trying and spilling that seems to have escalated this into a situation that required the presence of four TSA officers and three police officers. TSA found no other security problems with Monica Emmerson. Not even a nail clipper. Just the water and the sippy cup. TSA's rules allow passengers to take up to three ounces of liquid on board; they also allow parents to take milk or baby formula on board in larger quantities than that, if declared to TSA. But the question that she was asked by TSA --was this "nursery water" in the sippy cup?-- was an unanswerable one, since there's no such thing as nursery water in the TSA regulations. Or in the real world, either. Monica Emmerson was detained for 45 minutes. She wasn't questioned about possible ties to terrorists. Her carry-on items weren't rigorously searched -- or even searched again. Neither the police nor TSA took any action that indicated that they through she might be a security risk. She was just detained, harassed and threatened with arrest. All because of a sippy cup with water in it. From rforno at infowarrior.org Fri Jun 15 12:17:30 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 08:17:30 -0400 Subject: [Infowarrior] - Coming attractions for history's first cyber-war Message-ID: CNET News.com http://www.news.com/ Coming attractions for history's first cyber-war By Charles Cooper http://news.com.com/Coming+attractions+for+historys+first+cyber-war/2010-734 9_3-6191184.html Story last modified Fri Jun 15 04:00:04 PDT 2007 Most of the coast-to-coast office water cooler talk this week doubtless revolved around David Chase's ambiguous (and brilliant) finale to the Sopranos last Sunday night. We don't know whether Tony gets whacked or whether it was a dream sequence--or even both. I suppose that was as it should be as it left us guessing in true whodunit fashion about motive. Another fascinating whodunit novella is playing out a few time zones away from here in the nation of Estonia--but this one is for real. In case you missed the news, here's the headline version: in late April, Estonia's government moved a Soviet-era war memorial commemorating an unknown Russian killed fighting the Germans. Needless to say, this went over like a lead balloon with neighboring Russia, which still hails the Red Army for its role defeating the Nazis. Not so in Estonia, which spent nearly a half century under communist rule. The country decoupled from the Soviet Union in 1991 and has not looked back. The only people upset about the change in letterhead are the country's ethnic Russians. So it was that Estonia's decision triggered rioting among that same population. One man was killed, and 153 people were injured. In Moscow, President Vladimir Putin very publicly criticized Estonia and demonstrators blockaded the Estonian Embassy. Up until that point, the storyline played out with few surprises. Eastern Europe is still a cauldron of conflicting nationalistic passions where there's not always a shared, agreed-upon narrative of the post-War era. Then things got squirrelly. Despite their nation's small size, Estonia's 1.4 million people represent one of the most wired populations in the entire world. The Parliament actually declared Internet access to be a basic human right. Unlike the U.S., which seems congenitally unable to resolve the mystery of e-voting, Estonia has been using the Internet to elect representatives since 2005. So if some group wanted to really wreak havoc, how better than to strike at Estonia's Internet infrastructure? And that's what happened. Shortly after the government announced its decision, Estonia's Web sites--including those of government ministries and the prime minister's Reform Party--came under attack in a distributed denial of service attack that lasted for weeks. Russia rejected accusations that the government had anything to do with the cyber barrage. In an earlier interview with CNET News.com, Jose Nazario, a security researcher from Arbor Networks, suggested that the 100 to 200 megabit per second size of the attack waves was on the low side of the average DOS attack. Whoever it was, though, knew what they were doing. Things got so bad that NATO was invited to provide technical assistance to help shore up Estonia's defenses. A NATO spokesman had it right when he said that in the 21st century, it's not just going to be about tanks and planes. What he didn't say was whether this represented the opening shots of history's first cyber war. I put that question to Dorothy Denning, an expert in terrorism and cyber security at the Naval Postgraduate School. She thinks it's more likely that this particular episode was the work of protesters who wanted to register their unhappiness. "Governments do try to keep collateral damage to a minimum and this looks to have been the work of people where it's obvious where their sympathies lie," she said. "There's too much collateral damage." Now on News.com TorrentSpy ruling a 'weapon of mass discovery' Google seeks 'open' wireless networks Photos: Kodak's highly sensitive sensor Extra: Are keyboards dishwasher-safe? In that respect, this most recent denial of service attack resembles cyber-conflicts which have broken out between hackers in India and Pakistan as well as between sympathizers of Israel and the Palestinians. But Denning also noted that national security experts in our country are likely to take away at least one lesson from what's going on in Estonia. "It's taken cyber protest to the next level," Denning said. "It can happen here or to any country where people are unhappy. These were serious attacks which lasted long time. And it proves you need defenses." She's absolutely right but so far cyber security remains honored more in the breach than in the observance by the federal government. For all its exhortations to beef up homeland security, the Bush administration still considers this a side show compared with more pressing geo-political issues. Maybe so, but they're kidding themselves if they don't think that chicken is one day going to come home to roost. That's when I won't be the only person with a blue moon in their eye. Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Jun 15 12:48:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 08:48:38 -0400 Subject: [Infowarrior] - Proposal for a "US Cyber Health Agency" ?!? Message-ID: The slides for this chap's talk are located here: http://www.securityfocus.com/brief/526?ref=rss One point instantly jumped out at me: > One could argue that if an operating system or application was properly > designed and coded, it would not be broadly vulnerable to infection, and thus > the ultimate responsibility for any infestation lies with the maker of the > apparently defective operating system (or the maker of a defective > application)? > > But, vendors usually license their products ?as-is? with extensive > disclaimers, thereby doing their legal best to completely eliminate any and > all liability they might have had if they?d sold a defective product. ....but instead of changing commercial law to remedy this "as-is" licensing loophole that would help hold vendors accountable for product quality AND reduce (to some degree or other) the potential for vulnerabilities, this presentation instead proposes a massive federal bureaucracy to provide *voluntariy*-requested prophylatic services? He brings up some good points and shortcomings elsewhere in the presentation, but I have zero confidence that such a "cyber health agency" would be anything but a PR stunt to show the public that the government is doing "something, anything" in the name of Internet security. -rf From rforno at infowarrior.org Fri Jun 15 13:10:24 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 09:10:24 -0400 Subject: [Infowarrior] - Second Movie-Plot Threat Contest Winner Message-ID: Second Movie-Plot Threat Contest Winner On April 1, I announced the Second Annual Movie-Plot Threat Contest: Your goal: invent a terrorist plot to hijack or blow up an airplane with a commonly carried item as a key component. The component should be so critical to the plot that the TSA will have no choice but to ban the item once the plot is uncovered. I want to see a plot horrific and ridiculous, but just plausible enough to take seriously. Make the TSA ban wristwatches. Or laptop computers. Or polyester. Or zippers over three inches long. You get the idea. Your entry will be judged on the common item that the TSA has no choice but to ban, as well as the cleverness of the plot. It has to be realistic; no science fiction, please. And the write-up is critical; last year the best entries were the most entertaining to read. On June 5, I posted three semi-finalists out of the 334 comments: * Butterflies and beverages; water must be banned. * Dimethylmercury; security checkpoints must be banned, but of course they can't be. Oh, what to do! * Oxy-hydrogen bomb; wires -- earphones, power cables, etc. -- must be banned. Well, we have a winner. I can't divulge the exact formula -- because you'll all hack the system next year -- but it was a combination of my opinion, popular acclaim in blog comments, the opinion of Tom Grant (the previous year's winner), and the opinion of Kip Hawley (head of the TSA). < - > http://www.schneier.com/blog/archives/2007/06/second_movieplo.html From rforno at infowarrior.org Fri Jun 15 13:16:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 09:16:57 -0400 Subject: [Infowarrior] - Record exec to academic: stop criticizing us or I'll tell your university Message-ID: Record exec to academic: stop criticizing us or I'll tell your university Andrew Dubber, who is on faculty at the University of Central England, blogged a link to a story critical of RIAA lawsuits. Paul Birch, a British record exec who sits on the boards of the BPI and IFPI (trade orgs that represent the record industry in the UK and around the world) wrote him an angry letter, telling him that he wasn't allowed to post that kind of thing to his personal blog, because he works for a university that is funded by the government. Dubber offered to give him rebuttal space, and Birch took the opportunity to complain that the record execs who ordered lawsuits against more than 20,000 music fans (in the US alone!) get angry phone-calls, emails and in-person questions. Dubber countered with words about how suing music fans is a bad idea, and Birch closed with this threat: It expresses opinion, it?s not factual. If you persist then I shall make a formal complaint to the University. Your choice. And this guy wonders why record executives are perceived as bullies. < - > http://www.boingboing.net/2007/06/15/record_exec_to_acade.html From rforno at infowarrior.org Fri Jun 15 13:29:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 09:29:03 -0400 Subject: [Infowarrior] - Blackwater sues families of slain employees for $10M Message-ID: ....incredible.......rf Blackwater Heavies Sue Families of Slain Employees for $10 Million in Brutal Attempt to Suppress Their Story By Daniel J. Callahan and Marc P. Miles, AlterNet Posted on June 8, 2007, Printed on June 15, 2007 The following article is by the lawyers representing the families of four American contractors who worked for Blackwater and were killed in Fallujah. After Blackwater refused to share information about why they were killed, the families were told they would have to sue Blackwater to find out. Now Blackwater is trying to sue them for $10 million to keep them quiet. < - > http://www.alternet.org/story/53460/ From rforno at infowarrior.org Fri Jun 15 14:39:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 10:39:56 -0400 Subject: [Infowarrior] - Creepy spooky energy lobby advertising Message-ID: The folks at DC lobbying group Secure Energy are ramping up the Osama factor these days and running their "Enemies" commercials incessantly on television this week. http://secureenergy.org/news_multimedia.php Using Osama as a poster-boy notwithstanding, note the sinister post-911 "feel" to the commercial -- in fact, all their commercials. Now, I'm all for a sound reliable energy policy that reduces our dependence on foreign oil, but c'mon guys.....enough is enough. Oh wait -- FEAR SELLS! -rf From rforno at infowarrior.org Fri Jun 15 19:48:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 15:48:43 -0400 Subject: [Infowarrior] - House OKs $50 million in Real ID grants Message-ID: House OKs $50 million in Real ID grants Posted by Anne Broache http://news.com.com/8301-10784_3-9730100-7.html?part=rss&subj=news&tag=2547- 1_3-0-20 More than half of the states have passed some sort of measure scorning national drivers license standards known as Real ID, but that didn't stop congressional politicians on Friday from attempting to sweeten the deal by approving an additional $50 million aimed at helping them out. By a 268-150 vote on Friday morning, the U.S. House of Representatives approved those new grants for states as part of a Homeland Security spending bill covering the next fiscal year. But will the extra dough appease states that have balked at the estimated $14 billion pricetag --according to the Office of Management and Budget--projected for the ten-year effort? The early indication is probably not. David Quam, a lobbyist for the National Governors Association, told CNET News.com on Friday that while the move is somewhat encouraging, "this has never been just about money. It's both about money and passing a law that will actually make these systems more secure. You can throw all the money you want at this, but unless you make changes to Real ID itself, it can't be done." According to draft rules for the program, states must issue machine-readable licenses whose information could then be shared among individual state motor vehicle department databases. Homeland Security officials say that's necessary to verify that the same driver isn't licensed in more than one state. There's no formal requirement, however, that such data be encrypted, which has prompted concerns about the potential for identity theft. Defenders of the regime, including Bush administration officials, claim the overhaul is necessary to create more reliable, tamperproof identification documents that can help to thwart terrorist attacks and to keep illegal immigrants from obtaining false licenses. But privacy and civil liberties advocates have dogged the plan, which was tacked onto an emergency Iraq war spending bill that won unanimous approval in 2005, arguing that it will create a massive burden on states and is not sufficiently privacy-protective--nor will it stop wrongdoers with legally-obtained documents from carrying out plots against the United States. The additional funding did draw applause from the Information Technology Association of America, whose 325 members include companies that stand to benefit because they, in ITAA's words, have experience implementing "the majority of government credentialing and identity management programs at the federal, state and local level and provide similar solutions to commercial companies." Like all spending bills, this one originated in the House, but it won't take effect unless the Senate and the president sign off, which isn't always a speedy process. Meanwhile, there is also movement afoot in the Senate to swap the original requirements with what supporters, such as the American Civil Liberties Union, say is a more secure, flexible approach. Topics: From rforno at infowarrior.org Fri Jun 15 19:52:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 15:52:50 -0400 Subject: [Infowarrior] - TSA confiscates clown's makeup: Message-ID: The hysterica hijinks at our nation's airports continues........rf Let's all take a moment to bow our heads in gratitude to the brave TSA agents who saved many lives by confiscating a professional clown's makeup before he was able to make a bomb out of it on the plane. < - > http://www.boingboing.net/2007/06/15/tsa_confiscates_clow.html From rforno at infowarrior.org Sat Jun 16 02:20:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 22:20:50 -0400 Subject: [Infowarrior] - Group: Anti-hacking laws can hobble Net security Message-ID: Group: Anti-hacking laws can hobble Net security Robert Lemos, SecurityFocus 2007-06-15 http://www.securityfocus.com/print/news/11470 Jeremiah Grossman has long stopped looking for vulnerabilities in specific Web sites, and even if he suspects a site to have a critical flaw that could be compromised by an attacker, he's decided to keep quiet. The silence weighs heavily on the Web security researcher. While ideally he would like to find flaws, and help companies eliminate them, the act of discovering a vulnerability in any site on the Internet almost always entails gaining unauthorized access to someone else's server -- a crime that prosecutors have been all too willing to pursue. "I have long since curtailed my research," said Grossman, who serves as the chief technology officer for Web site security firm WhiteHat Security. "Any Web security researcher that has been around long enough will notice vulnerabilities without doing anything. When that happens, I don't tell anyone, rather than risk reputational damage to myself and my company." Grossman's fears underscore the fact that security researchers who find flaws in Web sites are crossing a line and trespassing on systems that do not belong to them. However, applying the law to good Samaritans interested in eliminating possible online risks only undermines the security of the Internet, a working group of researchers, digital-rights advocates and federal law enforcement officials concluded this week. "I think that if you look at the software security world, there has been many, many cases of someone knowing about a vulnerability before you do and be using it out in the wild," said Sara Peters, editor for the Computer Security Institute. "There is no way to say that these same things are not happening in the Web world. Assuming that nothing is going wrong, because you haven't heard about it is a very myopic and callow way of looking at it." Dubbed the Working Group on Web Security Research Law, the panel of experts has started to study whether researchers have any ability to play the good Samaritan and find security flaws in Web sites without risking prosecution. The group met at the Computer Security Institute's NetSec on Monday and released an initial report that raises more questions about the status of Web vulnerability research than provides answers to concerned bug hunters. While security researchers have been able to test computer software and disclose details about any flaws found, the working group concluded that there is no way to test a Web server without prior authorization and not run the risk of being prosecuted. Software security researchers are free to disclose flaws fully or take part in a process that allows the vendor to plug the holes, while Web researchers that disclose vulnerabilities in a way that angers the Web site owner could easily be reported to law enforcement. "The way it is right now, if you find a vulnerability and the site owner finds about it, you can be held culpable for anything that happens after that," Peters said. "Perhaps, that is a bit of hyperbole, but not much. There is no culpability for the Web site owner." The working group's report, available from the Computer Security Institute (registration required), includes four case studies including that of Eric McCarty. In June 2005, McCarty, a prospective student at the University of Southern California, found a flaw in the school's online application system and notified SecurityFocus of the issue. SecurityFocus contacted the school at the request of McCarty and relayed the information to USC, which initially denied the seriousness of the issue but eventually acknowledged the vulnerability after McCarty produced four records that he had copied from the database. In April 2006, federal prosecutors leveled a single charge of computer intrusion against McCarty, who accepted the charge last September. As part of its policy, SecurityFocus did not publish an article on the issue until USC had secured its database. While CSI's Peters believes that good Samaritans should be given some leeway, a few of the comments found on McCarty's computer by the FBI -- and repeated in court documents -- suggested that vengeance was a motive. For that reason, Peters suggests that security researchers who decide to look for vulnerabilities in Web sites use discretion in dealing with site owners. "You can't let anyone run wild and hack into Web sites indiscriminately," Peters said. "If you publicly disclose a vulnerability in a Web site you are pointing a big red arrow at a single site, so there needs to be some discretion." The working group also concluded that the Web is becoming increasingly complex as more sites share information and increase interactivity, characteristics of what is referred to as Web 2.0. Earlier this year, security researchers warned that Asynchronous JavaScript and XML (AJAX), a technology that many sites use to add Web 2.0 features, brings additional risks to the table for security researchers and vulnerability analysts. "AJAX is not necessarily adding more vulnerabilities to the landscape, it is making it more difficult for the scanner vendors to find the vulnerabilities," said WhiteHat Security's Grossman, who is also a member of the working group. "The sites still have vulnerabilities, but they are harder to find." Independent researchers finding vulnerabilities in Web sites could put pressure on site owners to secure their part of the Internet. However, the working group could not agree on whether the law should be changed to allow for good Samaritans. That likely leaves liability as the best stick, said Grossman, who Web site owners should be held liable to some extent for any consumer data lost due to a vulnerability in their site. "I think the motivation has to monetary," he said. "Right now, the Web site owners are the ones that have to pay for the security, but the consumer is the one bearing all the costs of failure." Such an equation, he said, is unlikely to add up to better security. From rforno at infowarrior.org Sat Jun 16 03:11:34 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Jun 2007 23:11:34 -0400 Subject: [Infowarrior] - NIST Guidelines on Cell Phone Forensics Message-ID: SP800-101 Guidelines on Cell Phone Forensics June 15, 2007 http://csrc.nist.gov/publications/drafts/Draft-SP800-101.pdf From rforno at infowarrior.org Sat Jun 16 13:08:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 16 Jun 2007 09:08:43 -0400 Subject: [Infowarrior] - U.S. Eyes Antiterror Rules for Small Jets and Boats Message-ID: U.S. Eyes Antiterror Rules for Small Jets and Boats http://www.nytimes.com/2007/06/16/washington/16secure.html?_r=1&oref=slogin By ERIC LIPTON Published: June 16, 2007 WASHINGTON, June 15 ? Acknowledging that the nation remains too vulnerable to terrorist attack by small planes and recreational boats, the Department of Homeland Security is considering new requirements to allow authorities to identify operators and passengers in millions of these vehicles as they ply the coasts and skies. Department personnel have been touring the country meeting with trade groups and elected officials to gauge their reaction to the proposed changes, to be issued by the Transportation Security Administration and the Coast Guard. ?What I?m trying to do is to kind of stick my toe in the water and see if I get bit by a piranha,? the Coast Guard commandant, Vice Adm. Thad W. Allen, told a group of state legislators at a recent briefing. The Coast Guard proposals in particular are still in the conceptual stages but are already drawing protests from boat owners, who under one measure would be required to pass a proficiency test and to carry a form of government-issued identification. ?These are ill-conceived solutions that will inconvenience everyone and not result in a substantial increase in security,? said Michael G. Sciulla, senior vice president of the Boat Owners Association of the United States, which is already organizing to fight the proposals. The threat posed by small planes and boats has been well documented. While the United States is spending billions of dollars to screen cargo containers carried by ships, as well as passengers and baggage on commercial planes, a small private jet could be used to fly a weapon, or a team of terrorists, into the country. The first set of new rules, to be announced by the end of this summer, will most likely be for small planes. Under those rules, boarding of small private planes would continue to be allowed without X-ray screening of passengers and baggage. But passengers on corporate and fractionally owned jets would for the first time be required to undergo terrorist-watch-list checks, particularly if they are flying into the United States from overseas. A similar mandate now generally applies only to small planes flying as a charter. Under another proposal, general aviation airports, which range from a grass runway in the middle of a field to sprawling complexes with air traffic rivaling that at some major city airports, would have to conduct security assessments, identifying vulnerabilities. In addition, planes parked at those airports might be required to have ignition or propeller locks. Kip Hawley, assistant secretary of the Transportation Security Administration, said two goals of the new initiative could provoke at least some protests: ensuring that unauthorized pilots cannot gain access to small planes and that officials have a way of knowing who is at the controls of a plane in flight. A variety of options are under consideration to meet these goals, including requiring that small planes eventually have equipment that would allow the authorities to know automatically the plane?s owner and the pilot?s identity. ?We know which pilots own which aircraft,? Mr. Hawley said in an interview. ?The next step would be to know who is on the runway in that aircraft.? Many pilots maintain adamantly that their small planes pose only a very modest threat: a four-seat, single-engine Cessna weighs about the same as a medium-size S.U.V. And the industry is represented by a lobbying group ? the Aircraft Owners and Pilots Association ? that is known for its campaigns to preserve liberties and that is indeed sometimes referred to as the ?N.R.A. of the air.? The right to captain a small boat, meanwhile, with little interference by the government is fiercely defended by organizations like the boat owners association. Mr. Hawley and Admiral Allen said they were trying to work closely with these groups to avoid a conflict. A National Small Vessel Security Summit, for instance, is scheduled for later this month in the Washington area. But Michael Chertoff, secretary of homeland security, said his department would not be shy about making new demands. ?If we just need to be a little tougher,? Mr. Chertoff said, ?we?re going to be a little tougher.? Matthew L. Wald contributed reporting. More Articles in Washington ? From rforno at infowarrior.org Sun Jun 17 15:10:44 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Jun 2007 11:10:44 -0400 Subject: [Infowarrior] - FUD Alert: Piracy "more serious" than burglary, fraud, bank robbery Message-ID: Copyright coalition: piracy more serious than burglary, fraud, bank robbery By Ken Fisher | Published: June 15, 2007 - 11:57AM CT http://arstechnica.com/news.ars/post/20070615-copyright-coalition-piracy-mor e-serious-than-burglary-fraud-bank-robbery.html For the more than nine years that Ars Technica has been publishing online, we've been outspoken when it comes to the lack of balance between the threat of piracy (which is always overstated) and the "solutions" to piracy (which are often draconian) that some copyright holders demand. Whether it's laws that would turn the possession of software into a crime, completely baked piracy reports, or yet another law meant to criminalize civil infractions, we've cast a critical eye on an industry that defines solipsism. And, everyone once and while, we're accused of hyperbole, of exaggerating our objections. That's why it's with both a grin and a lonely tear that I report to you the latest ridiculous claim from the copyright-trumps-all brigade. NBC/Universal general counsel Rick Cotton suggests that society wastes entirely too much money policing crimes like burglary, fraud, and bank-robbing, when it should be doing something about piracy instead. "Our law enforcement resources are seriously misaligned," Cotton said. "If you add up all the various kinds of property crimes in this country, everything from theft, to fraud, to burglary, bank-robbing, all of it, it costs the country $16 billion a year. But intellectual property crime runs to hundreds of billions [of dollars] a year." Cotton's comments come in Paul Stweeting's report on Hollywood's latest shenanigans on Capitol Hill. There are two obvious rejoinders to such a ridiculous statement. The first is that "hundreds of billions of dollars a year" is a myth. The MPAA's own cherry-picked study from Smith Barney in 2005 put their annual loss at less than $6 billion, and while the music and software industries also like to publish trumped-up claims, the figures are nowhere near hundreds of billions of dollars each year. The second objection, of course, is that the traditional crimes Cotton describes often involve the destruction of people's lives along with property. Burglaries can result in homicide, as can fraud (ask the preacher's wife), while bank robbery is without a doubt a dangerous game. Those crimes also typically involve real property. For better or for worse, real property should not be confused with intellectual property, which is not subject to the same rules of scarcity. Stopping a bank heist is, without a doubt, a far more important matter than stopping the bootlegging of Gigli or Spiderman 3. Chances are you would prefer that the cops spend their efforts protecting people from rampant home burglaries than chasing down kids with pirated music on their iPods. Regardless, Cotton and his Coalition Against Counterfeiting and Piracy are seeking to change federal law enforcement emphasis so that intellectual property crimes are given priority over other kinds of crime... a realignment, to play off Cotton's statement. Battling organized crime is hardly objectionable, and we hope the coalition sees success in taking down the profiteers of piracy. Offending the public with yet more lies and hyperbole isn't going to curry much favor, however. From rforno at infowarrior.org Sun Jun 17 20:03:44 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Jun 2007 16:03:44 -0400 Subject: [Infowarrior] - Chips let PCs get turned on remotely Message-ID: Chips let PCs get turned on remotely http://news.yahoo.com/s/ap/20070617/ap_on_hi_te/remote_control_chips&printer =1;_ylt=ApsExA0lK7jOjrwkXoKHkOVk24cA By JORDAN ROBERTSON, AP Technology Writer1 hour, 8 minutes ago Your work computer just suffered a major meltdown. Maybe the operating system failed, or a virus crashed the hard drive. Either way, your employer can now tunnel into your crippled machine remotely by communicating directly with the chips inside it, allowing authorized managers to power up and repair turned-off PCs within the corporate network at virtually any time. The technology ? which Intel Corp. introduced last year to rave reviews from computer professionals ? represents a fundamental change in the way work PCs are repaired, updated and administered. Now the world's largest chip maker is studying how to bring the same technology to the consumer market. Santa Clara-based Intel envisions consumers one day signing up for a service that allows their Internet providers to automatically install security upgrades and patches, whether the PC is turned on or not. Once they return to their computers, users would then get an alert with a detailed record of the fixes. In some ways it's the computer-industry equivalent of General Motors Corp.'s OnStar service, which allows an operator in a call center to open your car doors if you've locked the keys inside. Intel is hoping consumers will decide that the convenience of having a round-the-clock watchdog outweighs the obvious privacy and security concerns raised by opening a new remote access channel into the PC. Digital-privacy experts aren't worried about the use of such technology in the workplace, where employers may peek into any worker's machine at any time. But advocates said the same technology might raise questions about the level of control consumers are willing to cede to keep their machines running smoothly. "It's a lot of power to give over to someone ? people are storing a large portion of their lives in their computers," said Seth Schoen, a staff technologist with the Electronic Frontier Foundation. "My main concern would be to make sure consumers knew who they were giving access to, and what kind of access they're giving." Intel's Active Management Technology only allows technicians to see a small amount of mundane but critical information, mostly configuration and inventory data. Only authorized IT managers already inside the corporate network can access the computers, and they cannot rifle through an employee's files, or see the Web browsing history, or gain access to other personal files, Intel said. They can, however, install missing or corrupt files, and even reinstall the entire operating system by having the system boot from a remote drive on the network. "The technology itself is privacy-neutral ? it doesn't know who you are, it doesn't really care what you do," said Mike Ferron-Jones, director of digital office platform marketing at Intel. "Any policy decisions about what a user can do in a business environment with their PC, those are up to the business owner. (Active Management Technology) does not facilitate those policies in any way." The top two personal computer makers, Hewlett-Packard Co. and Dell Inc., and retailers such as Best Buy Co., also offer remote tech support services for consumers ? if the machines are switched on and plugged into the network. Intel's technology opens up a new level of access. Intel's Active Management Technology works by keeping a communications chip inside the PC active at virtually all times, as long the machine has battery or AC power. Once an IT manager reaches out to that chip, it contacts the chipset inside the same machine, which jolts to life and can access certain core data stored on a memory chip that retains information even when the computer is off. Chipsets are responsible for sending data from the microprocessor to the rest of the computer. The technology is only available in desktops with Intel's vPro branding and laptops with the Centrino Pro branding. Those brands indicate that the PCs have a full package of Intel chips, and workers with those computers should assume their machines are being monitored in this manner. Intel said about 250 business worldwide with between 1,000 and 10,000 PCs each are now using the desktops. Laptop sales numbers are not yet available, as those machines were made available only about three weeks ago. The technology is similar to the existing Wake on LAN feature, which also allows managers to boot PCs remotely, but Intel customers said the Active Management Technology is more secure and reliable because they can communicate directly with the chipset even in corrupted machines. Richard Shim, an analyst with market researcher IDC, said IT managers have been asking for the technology for some time to speed their service calls and save the company money. By giving them a uniform and reliable way to access their fleet of computers, the technology lets system administrators more easily manage widely dispersed machines from different manufacturers, Shim said. That lessens the need for the patchwork of hardware and software they have been relying on to perform some of the same tasks. "It will help automate the process, and any time you can automate something in technology, it's a blessing," he said. "It addresses pain points that are common to all IT managers." In one study of companies already using Active Management Technology, desk-side visits for hardware problems dropped 60 percent and trips for software glitches fell 91 percent. "They're huge numbers ? for us it's extremely costly to send a field technician out," said Matt Trevorrow, vice president of infrastructure services for Electronic Data Systems Corp., a provider of information technology outsourcing services that uses the new Intel technology and is offering it to customers. "It all comes back to getting the end user back to being productive." From rforno at infowarrior.org Mon Jun 18 03:17:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Jun 2007 23:17:08 -0400 Subject: [Infowarrior] - Microsoft moves to weaken NY Election law Message-ID: Software giant moves to weaken NY Election law http://nyvv.org/blog/bolipariblog.html The 800 pound gorilla of software development has moved forcefully into New York State, supported by voting machine vendors using Microsoft Windows in their touch screen voting machines and other systems. Over the last two months Microsoft and a cadre of high paid lobbyists have been working a full-court press in Albany in an attempt to bring about a serious weakening of New York State election law. This back door effort by private corporations to weaken public protections is about to bear fruit. On Thursday, June 14, I recieved a copy of proposed changes to New York State Election Law drafted by Microsoft attorneys that has been circulating among the Legislature. These changes would gut the source code escrow and review provisions provided in our current law, which were fought for and won by election integrity activists around the state and adopted by the Legislature in June 2005. In an earlier blog I wrote about Microsoft's unwillingness to comply with New York State's escrow and review requirements. Now the software giant has gone a step further, not just saying ?we won't comply with your law? but actively trying to change state law to serve their corporate interests. Microsoft's attorneys drafted an amendment which would add a paragraph to Section 1-104 of NYS Election Law defining ?election-dedicated voting system technology?. Microsoft?s proposed change to state law would effectively render our current requirements for escrow and the ability for independent review of source code in the event of disputes completely meaningless - and with it the protections the public fought so hard for. Adding insult to injury, these changes are being slipped into a bill that may be voted on Monday or Tuesday, June 18 or 19. That bill's stated purpose is to make ?technical changes? to the recent law moving the date of New York's presidential primary to February. Because this bill involving the new primary date must be passed next week before the Legislative session ends (New York has jumped on the bandwagon to be part of the super presidential primary in February 2008) this grave weakening of the public?s right to review software would come along part and parcel with the primary date change. The players promoting this behind the scenes are relying on the fact that this reprehensible eradication of citizen protections won't be noticed until it's too late. If Microsoft and the vendor lobbyists had their way, the public would have known nothing about this until after the law passed. Well that much at least, didn't work. We?ve found out about this secretive move, albeit only four days before the bill containing this poisonous provision is to be voted on. The question now is will the Legislature approve this appalling weakening of our law? Up to now, New York State has been rightfully proud to have adopted some of the strictest regulations regarding the new electronic voting systems in the entire nation. The Legislature has been patting themselves on the back for two years now for passing such an excellent set of laws. For the most part, they had a right to be proud. But now these powerful private companies are working the Legislature behind the scenes trying to quietly change New York Election Law to remove the public?s protections and to serve their private interests. The big question is, will the New York State Legislature give in to these powerful corporate interests or will they stand up for transparency, security, and the public's right to know? Take Action Now - It?s urgent that you call your State Senator and Assembly representatives on Monday, June 18, at their Albany offices, and tell them they must not weaken New York State?s escrow and review requirements. Remind them that the Legislature passed a strong law 2 years ago - they must not give in to pressure by voting machine vendors to undermine those protections. Find your Assembly member?s contact information here: http://www.assembly.state.ny.us/mem/ (Not sure who your Assembly member is? Click here to search by Zip Code) Find your State Senator?s contact information here: http://www.senate.state.ny.us/senatehomepage.nsf/senators?OpenForm (Not sure who your State Senator is? Click here to search by Zip Code) From rforno at infowarrior.org Mon Jun 18 12:26:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Jun 2007 08:26:43 -0400 Subject: [Infowarrior] - Followup on TSA Sippy-Cup incident Message-ID: http://www.schneier.com/blog/archives/2007/06/tsa_and_the_sip.html < paras about the original incident removed for brevity > This story portrays the TSA as jack-booted thugs. The story hit the Internet last Thursday, and quickly made the rounds. I saw it on BoingBoing. But, as it turns out, it's not entirely true. The TSA has a webpage up, with both the incident report and video. TSO [REDACTED] took the female to the exit lane with the stroller and her bag. When she got past the exit lane podium she opened the child's drink container and held her arm out and poured the contents (approx. 6 to 8 ounces) on the floor. MWAA Officer [REDACTED] was manning the exit lane at the time and observed the entire scene and approached the female passenger after observing this and stopped her when she tried to re-enter the sterile area after trying to come back through after spilling the fluids on the floor. The female passenger flashed her badge and credentials and told the MWAA officer "Do you know who I am?" An argument then ensued between the officer and the passenger of whether the spilling of the fluid was intentional or accidental. Officer [REDACTED] asked the passenger to clean up the spill and she did. Watch the second video. TSO [REDACTED] is partially blocking the scene, but at 2:01:00 PM it's pretty clear that Monica Emmerson -- that's the female passenger -- spills the liquid on the floor on purpose, as a deliberate act of defiance. What happens next is more complicated; you can watch it for yourself, or you can read BoingBoing's somewhat sarcastic summary. In this instance, the TSA is clearly in the right. But there's a larger lesson here. Remember the Princeton professor who was put on the watch list for criticizing Bush? That was also untrue. Why is it that we all -- myself included -- believe these stories? Why are we so quick to assume that the TSA is a bunch of jack-booted thugs, officious and arbitrary and drunk with power? It's because everything seems so arbitrary, because there's no accountability or transparency in the DHS. Rules and regulations change all the time, without any explanation or justification. Of course this kind of thing induces paranoia. It?s the sort of thing you read about in history books about East Germany and other police states. It's not what we expect out of 21st century America. The problem is larger than the TSA, but the TSA is the part of "homeland security" that the public comes into contact with most often -- at least the part of the public that writes about these things most. They're the public face of the problem, so of course they're going to get the lion's share of the finger pointing. It was smart public relations on the TSA's part to get the video of the incident on the Internet quickly, but it would be even smarter for the government to restore basic constitutional liberties to our nation's counterterrorism policy. Accountability and transparency are basic building blocks of any democracy; and the more we lose sight of them, the more we lose our way as a nation. From rforno at infowarrior.org Mon Jun 18 12:28:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Jun 2007 08:28:38 -0400 Subject: [Infowarrior] - Abusing The Secrets Shield Message-ID: Abusing The Secrets Shield By David Kay and Michael German Monday, June 18, 2007; Page A17 http://www.washingtonpost.com/wp-dyn/content/article/2007/06/17/AR2007061700 944.html?nav=rss_opinion/columns In 1953 the widows of three civilian contractors killed when the military aircraft on which they were testing equipment crashed sought government documents to support their claim of negligence. The Air Force refused to produce the accident report, even for private review by the judge, asserting the "state secrets privilege" to withhold evidence that would jeopardize national security. The trial court ruled in favor of the widows, but the Supreme Court sided with the government and blocked review of the documents. The Reynolds decision, as that case came to be known, set a precedent establishing the executive branch's ability to restrict, in the name of national security, what evidence can be considered at trial. As veterans of the fight against domestic and international terrorism since before that war had a name, we appreciate the need to keep sensitive national security information from the public eye for reasonable periods of time to protect ongoing operations. However, the executive branch should not be allowed to extend that shield to hide evidence that is "sensitive" simply because it is embarrassing or, worse, demonstrates wrongdoing. Lately the line between sensitive national security information and information that the government would, for other reasons, prefer to keep secret has been blurred. In December 2003, Khaled el-Masri, a German citizen, was detained by the CIA, drugged, beaten, flown to Afghanistan and held without charge in a squalid prison for four months. The CIA, under the leadership of George Tenet, realized that it had the wrong man, but rather than apologize, agents abandoned Masri on a hilltop in Albania, apparently hoping that no one would believe his story. When Masri filed a lawsuit, Tenet's successor, Porter Goss, stepped in and asserted the state secrets privilege. Without demanding production of a single document allegedly subject to the privilege, the judge dismissed the case. In recent months, the Justice Department has claimed the privilege in lawsuits brought against Verizon and AT&T for providing subscribers' telecommunications records to the National Security Agency as part of its domestic surveillance program. Justice Department lawyers cited the Masri decision in arguing for dismissal, claiming that the evidence the plaintiffs would need to litigate the case was so sensitive that not even the judge should review it. Such twisted logic would be laughable were the stakes not so high. Those whose search for justice has been quashed by such executive bullying are often shocked to learn that Congress has never acted to codify the state secrets privilege. It considered doing so in the 1970s but specifically chose not to include the privilege in the federal rules of evidence. Nonetheless, dating from its application in the Reynolds case, the state secrets privilege has been repeatedly invoked, often with disturbing results. This is why we, in cooperation with the Constitution Project, have joined with a bipartisan coalition of policy experts, legal scholars and former government officials in calling on Congress to limit the privilege's use. Congress should establish that the executive branch's ability to restrict disclosure of evidence is qualified, not absolute. Federal agencies should not be allowed to dodge even a judge's scrutiny by crying "state secret." And Congress should instruct judges to privately review all the evidence that the executive claims is privileged and independently determine if releasing it would harm national security. In the 1990s, the privileged documents of the Reynolds case were declassified. The only "sensitive" information in the accident report was that the aircraft carrying those contractors was in miserable condition before it took off. We may never know the full details of the CIA's treatment of Khaled el-Masri (who is seeking review of his case by the Supreme Court) or of the NSA's eavesdropping on U.S. citizens. If an independent judge reviews the evidence in those cases and finds that its disclosure would jeopardize national security, we will support protecting such intelligence, whenever possible in a way that does not deny justice to those harmed by government wrongdoing. The founders of this nation trusted judges to serve as a check against the abuse of executive power; surely we must do the same. Liberty and security are mutually reinforcing. We can -- and, to remain true to our American values, must -- demand both from our government. An independent judge should determine what information would be harmful if released and what would demonstrate wrongdoing or simply be embarrassing. History has shown that those who have something to lose are remarkably poor judges of the difference. David Kay led the Iraq Survey Group in its search for weapons of mass destruction in 2003-04 and previously served as a weapons inspector with the International Atomic Energy Agency. Michael German is a policy counsel at the American Civil Liberties Union and an adjunct professor at the National Defense University. From rforno at infowarrior.org Mon Jun 18 19:02:29 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Jun 2007 15:02:29 -0400 Subject: [Infowarrior] - Red Hat Linux gets top government security rating Message-ID: Red Hat Linux gets top government security rating IBM had achieved a new level of security certification with Red Hat Linux. Robert McMillan (IDG News Service) 18/06/2007 08:27:27 http://www.computerworld.com.au/index.php/id;306842912;fp;4194304;fpid;1 Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM. "This is the highest level of security function that anybody has," Frye said. "We have delivered LSPP functionality in Red Hat Enterprise Linux 5 and we have certified that at the EAL4 level of assurance." This rating is awarded by the government-funded National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme for IT Security program, which evaluates the security of commercial technology products. Red Hat Linux has been certified EAL4 Augmented with ALC_FLR.3 on IBM's mainframe, System x, System p5 and eServer systems. This level of security certification is not usually required for enterprise contracts, but it is mandatory for some programs within government agencies such as the U.S. Department of Defense and the U.S. National Security Agency, Frye said. Linux had already been certified at the EAL4 level, but this is the first time that the operating system has received the Labeled Security Protection Profile (LSPP) certification, which relates to its access-control features. Linux developers have been working to add these "SE Linux" access control features into the operating system for several years now. SE Linux shipped as part of Red Hat Enterprise Linux 5, and now it has been certified for government use, Frye said. "You now have a level of fine-grained control for everybody," he added. "You can set security based on groups or based on individuals." In addition to LSPP Red Hat Linux has also been certified with Role Based Access Control Protection (RBAC), and that too is noteworthy, said Red Hat Inc. "Historically, OS vendors have required you buy a separate branched OS to get something that is LSPP and RBAC certified," the company said in a statement. "This is something completely unique for commercial operating systems because the support for multilevel security is native to the OS." According to Frye, the certification is "big news for the Linux industry" because it shows that open-source software can be used for sensitive computing tasks. "If anyone had any doubts that you could do this with an open-source operating system, we've proved them wrong." From rforno at infowarrior.org Mon Jun 18 19:04:04 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Jun 2007 15:04:04 -0400 Subject: [Infowarrior] - NBC wants more ISPs to spy on users Message-ID: NBC wants more ISPs to spy on users, reform Safe Harbor http://arstechnica.com/news.ars/post/20070618-nbc-wants-more-isps-to-spy-on- users-reform-safe-harbor.html By Ken Fisher | Published: June 18, 2007 - 12:14PM CT Last week NBC/Universal general counsel Rick Cotton argued that law enforcement resources are "misaligned." Cotton says it's wrong to focus on real property theft and potentially deadly crimes when cops could be out enforcing intellectual property laws. Cotton wasn't finished. He filed a response on behalf of NBC Universal to the FCC's call for comments last week on the broadband industry and Net Neutrality which says, in effect, that Net Neutrality is a waste of time. The FCC should be focusing on... you guessed it, piracy! Cotton had harsh words for the government's lack of involvement in shutting down P2P and BitTorrent file sharing. "It is inconceivable that the U.S. government would stand by mutely and permit any other legitimate U.S. business to be hijacked in this fashion," he wrote. "Would the government permit Federal Express or UPS to knowingly operate delivery services in which 60-70% of the payload consisted of contraband, such as illegal drugs or stolen goods?" Cotton also argues that the entire Net Neutrality debate is essentially the result of unfettered piracy online, as he cites a study which claims that two-thirds of traffic online stems from piracy. Remove the pirates, and the congestion disappears, he suggests. Cotton then argued that the DMCA, whose Safe Harbor provisions make sites like YouTube possible and also protects ISPs from piracy which occurs on their networks, is ill-equipped to handle today's P2P threat. Service providers apply the minimum amount of effort to meet the DMCA standard, and sometimes even jeopardize that by failing to enforce their own user agreements, he argued. The only solution, in Cotton's view, is to make ISPs take action against piracy on their networks, using any legal means necessary. "The Commission should make unmistakably clear, as part of its regulations governing broadband industry practices, that broadband service providers have an obligation to use readily available means to prevent the use of their broadband capacity to transfer pirated content," he wrote. Such efforts could include better takedown notification practices as well as "using increasingly sophisticated bandwidth management tools." While Cotton didn't name AT&T in his filing, this kind of approach is exactly what AT&T is planning to implement at the behest of the nation's major entertainment trade groups, including the MPAA and the RIAA. Many people consider this to be synonymous with spying, and still others object to the notion that ISPs need to become copyright enforcement cops for the entertainment industry. One thing is certain: there is no "anti-piracy" switch that can be flipped. Technological means will snare innocent users and cross into very questionable privacy grounds. Cotton is completely correct when he asserts that Congress didn't really know what they were getting into when they penned the DMCA. However, few in 1998 could have imagined that Congress would someday be asked to mandate that ISPs actively filter their network traffic for copyrighted material, yet this is precisely what Cotton seems to believe Congress should have done. However, we need to look no further than US colleges and universities to see why this approach can be a big headache. College IT administrators already see themselves as starting a costly "arms race" with pirates who are always one step ahead of their technological tracking means. The entire filing is available as PDF. From rforno at infowarrior.org Mon Jun 18 19:17:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Jun 2007 15:17:00 -0400 Subject: [Infowarrior] - Supreme Court Rules in Favor of Car Passengers Message-ID: Supreme Court Rules in Favor of Car Passengers http://www.washingtonpost.com/wp-dyn/content/article/2007/06/18/AR2007061800 449.html?hpid=moreheadlines By William Branigin Washington Post Staff Writer Monday, June 18, 2007; 1:04 PM The Supreme Court ruled unanimously today that a passenger in a vehicle has the same right as a driver to challenge the constitutionality of a traffic stop. The court decided that when police stop a vehicle, passengers are "seized" within the meaning of the Fourth Amendment and -- like drivers -- can dispute the legality of a search. The ruling overturned a California Supreme Court decision in the case of Bruce Edward Brendlin, who was arrested on parole violation and drug charges after a November 2001 traffic stop in Yuba City, Calif. Brendlin, who subsequently was sentenced to four years in prison, appealed his conviction on the grounds that the drug evidence should have been suppressed because the traffic stop amounted to "an unlawful seizure of his person," according to today's ruling. Although the state acknowledged that police "had no adequate justification" to stop the car, in which Brendlin was a passenger in the front seat, it argued that he was not "seized" and thus could not challenge the government's action under the Fourth Amendment's search and seizure protections. Government lawyers also argued that Brendlin could not claim that the evidence against him was tainted by an unconstitutional stop, according to the ruling. The California Supreme Court sided with the state in the case, known as Brendlin v. California, reasoning that Brendlin was not seized because the car's driver was the exclusive target of the traffic stop and that a passenger "would feel free to depart or otherwise to conduct his or her affairs as though the police were not present." The Supreme Court, however, rejected that argument today on grounds that a "reasonable passenger" would not feel free to simply leave the scene of a traffic stop. Writing for a unanimous court, Justice David H. Souter ruled that "a traffic stop necessarily curtails the travel a passenger has chosen just as much as it halts the driver. . . ." He said a "a sensible person would not expect a police officer to allow people to come and go freely" from the scene of a stop. The court found that "Brendlin was seized from the moment [the driver's] car came to a halt on the side of the road, and it was error to deny his suppression motion on the ground that seizure occurred only at the formal arrest." A ruling that a passenger in a car is not seized in a traffic stop "would invite police officers to stop cars with passengers regardless of probable cause or reasonable suspicion of anything illegal," Souter wrote. "The fact that evidence uncovered as a result of an arbitrary traffic stop would still be admissible against any passengers would be a powerful incentive to run the kind of 'roving patrols' that would still violate the driver's Fourth Amendment right." The American Civil Liberties Union and the NAACP made similar arguments in support of Brendlin, arguing that if the Supreme Court ruled in California's favor, police would be able to conduct arbitrary traffic stops aimed at passengers, especially minorities. Most state and federal courts already permitted challenges by passengers, the Associated Press reported. However, California, Colorado and Washington state did not. The case originated when a deputy sheriff and his partner spotted a parked Buick with expired registration tags and, upon checking with a dispatcher, learned that an application for renewal of the registration was being processed. When the officers later saw the car on the road, the deputy sheriff decided to pull it over to verify that a temporary operating permit valid through the end of the month matched the vehicle. Police later acknowledged that there was nothing unusual about the permit. The deputy sheriff, Robert Brokenbrough, saw a passenger in the front seat, asked him to identify himself and verified that he was "a parole violator with an outstanding no-bail warrant for his arrest," today's opinion said. Brokenbrough then ordered Brendlin out of the car at gunpoint and declared him under arrest. In a search, police found an orange syringe cap on Brendlin and syringes and marijuana on the driver, who also was arrested. In the car, police also found tubing, a scale and items used to produce methamphetamine. Brendlin was charged with possession and manufacture of methamphetamine. He moved to suppress the evidence found on him and in the car as the fruits of an unconstitutional seizure, arguing that police lacked probable cause to stop the vehicle. The trial court denied his motion to suppress, but the California Court of Appeal reversed the denial. The case then went to the state Supreme Court, which narrowly overturned the appellate court's decision. The U.S. Supreme Court said it agreed to hear the case "to decide whether a traffic stop subjects a passenger, as well as the driver, to Fourth Amendment seizure." In vacating the California Supreme Court's judgment, Souter wrote, "We hold that a passenger is seized as well and so may challenge the constitutionality of the stop." From rforno at infowarrior.org Tue Jun 19 01:27:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Jun 2007 21:27:35 -0400 Subject: [Infowarrior] - Appeals Court Says Feds Need Warrants to Search E-Mail Message-ID: Appeals Court Says Feds Need Warrants to Search E-Mail By Luke O'Brien EmailJune 18, 2007 | 1:22:17 A federal appeals court on Monday issued a landmark decision (.pdf) that holds that e-mail has similar constitutional privacy protections as telephone communications, meaning that federal investigators who search and seize emails without obtaining probable cause warrants will now have to do so. "This decision is of inestimable importance in a world where most of us have webmail accounts," said Kevin Bankston, a staff attorney for the Electronic Frontier Foundation. The ruling by the Sixth U.S. Circuit Court of Appeals in Ohio upheld a lower court ruling that placed a temporary injunction on e-mail searches in a fraud investigation against Steven Warshak, who runs a supplements company best known for a male enhancement product called Enzyte. Warshak hawks Enzyte using "Smiling Bob" ads that have gained some notoriety. The case boiled down to a Fourth Amendment argument, in which Warshak contended that the government overstepped its constitutional reach when it demanded e-mail records from his internet service providers. Under the 1986 federal Stored Communications Act (SCA), the government has regularly obtained e-mail from third parties without getting warrants and without letting targets of an investigation know (ergo, no opportunity to contest). < - > http://blog.wired.com/27bstroke6/2007/06/appeals_court_s.html From rforno at infowarrior.org Tue Jun 19 14:04:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Jun 2007 10:04:27 -0400 Subject: [Infowarrior] - OT: Vatican issues "10 Commandments" for good motorists Message-ID: You can't make this stuff up......how can Triple-A compete with this?? :) -rf Vatican issues "10 Commandments" for good motorists Tue Jun 19, 2007 9:17AM EDT By Philip Pullella VATICAN CITY (Reuters) - Thou shall not drive under the influence of alcohol. Thou shall respect speed limits. Thou shall not consider a car an object of personal glorification or use it as a place of sin. The Vatican took a break from strictly theological matters on Tuesday to issue its own rules of the road, a compendium of do's and don'ts on the moral aspects of driving and motoring. A 36-page document called "Guidelines for the Pastoral Care of the Road" contains 10 Commandments covering everything from road rage, respecting pedestrians, keeping a car in good shape and avoiding rude gestures while behind the wheel. < - > http://www.reuters.com/article/worldNews/idUSL1937441220070619?feedType=RSS& rpc=22&sp=true From rforno at infowarrior.org Wed Jun 20 19:28:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Jun 2007 15:28:38 -0400 Subject: [Infowarrior] - DHS Acknowledges Own Computer Break-Ins Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2007/06/20/AR2007062000 181.html DHS Acknowledges Own Computer Break-Ins By TED BRIDIS The Associated Press Wednesday, June 20, 2007; 6:34 AM WASHINGTON -- The Homeland Security Department, the lead U.S. agency for fighting cyber threats, suffered more than 800 hacker break-ins, virus outbreaks and other computer security problems over two years, senior officials acknowledged to Congress. In one instance, hacker tools for stealing passwords and other files were found on two internal Homeland Security computer systems. The agency's headquarters sought forensic help from the department's own Security Operations Center and the U.S. Computer Emergency Readiness Team it operates with Carnegie Mellon University. In other cases, computer workstations in the Coast Guard and the Transportation Security Administration were infected with malicious software detected trying to communicate with outsiders; laptops were discovered missing; and agency Web sites suffered break-ins. The chairman of the House Homeland Security Committee, Rep. Bennie Thompson, D-Miss., said such problems undermine the government's efforts to encourage companies and private organizations to improve cyber security. "What the department is doing on its own networks speaks so loudly that the message is not getting across," Thompson said. Congressional investigators, expected to testify Wednesday during an oversight hearing about the department's security lapses, determined that persistent weaknesses "threaten the confidentiality, integrity and availability of key DHS information and information systems," according to a new report from the Government Accountability Office being released later in June. The Homeland Security Department's chief information officer, Scott Charbo, assured lawmakers his organization was working to prevent such problems. "We need to increase our vigilance to ensure that such incidents do not happen again," Charbo wrote in testimony prepared for Wednesday's hearing. "The department takes these incidents very seriously and will work diligently to ensure they do not recur." The computer problems disclosed to the House Homeland Security subcommittee occurred during fiscal 2005 and fiscal 2006, and occurred at DHS headquarters and many of the department's agencies, including TSA, the Coast Guard, Federal Emergency Management Agency, Customs and Border Protection and others. The subcommittee's chairman, Rep. Jim Langevin, D-R.I., said break-ins to government computer networks and theft of information are "one of the most critical issues confronting our nation, and we must deal with this threat immediately." All the problems involved the department's unclassified computer networks, although DHS officials also have acknowledged to lawmakers dozens of incidents they described as "classified spillage," in which secret information was improperly transmitted or discussed over nonsecure e-mail systems. From rforno at infowarrior.org Thu Jun 21 12:23:20 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Jun 2007 08:23:20 -0400 Subject: [Infowarrior] - Another RIAA slapdown from the bench (and great QOTD) Message-ID: Judge deals blow to RIAA, says students can respond to John Doe lawsuit http://arstechnica.com/news.ars/post/20070620-judge-deals-blow-to-riaa-says- students-can-respond-to-john-doe-lawsuit.html Best quote: "While the Court does not dispute that infringement of a copyright results in harm, it requires a Coleridgian 'suspension of disbelief' to accept that the harm is irreparable, especially when monetary damages can cure any alleged violation," wrote the judge. "On the other hand, the harm related to disclosure of confidential information in a student or faculty member?s Internet files can be equally harmful." From rforno at infowarrior.org Thu Jun 21 20:50:19 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Jun 2007 16:50:19 -0400 Subject: [Infowarrior] - Hacker penetrates Pentagon email system Message-ID: Hacker penetrates Pentagon email system June 22, 2007 - 4:37AM http://www.smh.com.au/news/Technology/Hacker-penetrates-Pentagon-email-syste m/2007/06/22/1182019305007.html A hacker penetrated an unclassified Pentagon email system, prompting authorities to take as many 1,500 accounts off-line, defense officials said Thursday. "All precautionary measures are being taken and we expect this system to be on-line again very soon," said Colonel Gary Keck, a Pentagon spokesman. He said the penetration was detected Wednesday in the unclassified email system of the office of the secretary of defense, which employs thousands of people. Between 1,000 and 1,500 users of the system were taken off-line, a defense official said. The system carries "routine email" involving administrative manners but not classified information related to military operations, Keck said. He would not comment on the source of the attack, or whether the hacker was able to read email sent over the system. "The department has redundant systems in place and there is no anticipated adverse impact to ongoing operations," he said. "The department aggressively monitors its networks for intrusions and has appropriate procedures to address events of this nature," he said. ? 2006 AFP From rforno at infowarrior.org Thu Jun 21 23:16:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Jun 2007 19:16:41 -0400 Subject: [Infowarrior] - White House near decision to close Gitmo Message-ID: White House near decision to close Gitmo By MATTHEW LEE, Associated Press Writer 28 minutes ago WASHINGTON - The Bush administration is nearing a decision to close the Guantanamo Bay detainee facility and move the terror suspects there to military prisons elsewhere, The Associated Press has learned. President Bush's national security and legal advisers are expected to discuss the move at the White House on Friday and, for the first time, it appears a consensus is developing, senior administration officials said Thursday. The advisers will consider a proposal to shut the center and transfer detainees to one or more Defense Department facilities, including the maximum security military prison at Fort Leavenworth in Kansas, where they could face trial, said the officials. They spoke on condition of anonymity because they were discussing internal deliberations. Officials familiar with the agenda of the Friday meeting said Vice President Dick Cheney, Secretary of State Condoleezza Rice, Defense Secretary Robert Gates, Attorney General Alberto Gonzales, Homeland Security chief Michael Chertoff, National Intelligence Director Mike McConnell and Joint Chiefs of Staff chairman Gen. Peter Pace were expected to attend. It was not immediately clear if the meeting would result in a final recommendation to Bush. Previous plans to close Guantanamo have run into resistance from Cheney, Gonzales and former Defense Secretary Donald Rumsfeld. But officials said the new suggestion is gaining momentum with at least tacit support from the State and Homeland Security departments, the Pentagon, and the Intelligence directorate. Cheney's office and the Justice Department have been dead set against the step, arguing that moving "unlawful" enemy combatant suspects to the U.S. would give them undeserved legal rights. < - > http://news.yahoo.com/s/ap/20070621/ap_on_go_ca_st_pe/us_guantanamo_8 From rforno at infowarrior.org Fri Jun 22 03:59:48 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Jun 2007 23:59:48 -0400 Subject: [Infowarrior] - Agency Is Target in Cheney Fight on Secrecy Data Message-ID: June 22, 2007 Agency Is Target in Cheney Fight on Secrecy Data By SCOTT SHANE http://www.nytimes.com/2007/06/22/washington/22cheney.html?_r=1&hp=&oref=slo gin&pagewanted=print For four years, Vice President Dick Cheney has resisted routine oversight of his office?s handling of classified information, and when the National Archives unit that monitors classification in the executive branch objected, the vice president?s office suggested abolishing the oversight unit, according to documents released yesterday by a Democratic congressman. The Information Security Oversight Office, a unit of the National Archives, appealed the issue to the Justice Department, which has not yet ruled on the matter. Representative Henry A. Waxman, Democrat of California and chairman of the House Committee on Oversight and Government Reform, disclosed Mr. Cheney?s effort to shut down the oversight office. Mr. Waxman, who has had a leading role in the stepped-up efforts by Democrats to investigate the Bush administration, outlined the matter in an eight-page letter sent Thursday to the vice president and posted, along with other documentation, on the committee?s Web site. Officials at the National Archives and the Justice Department confirmed the basic chronology of events outlined in Mr. Waxman?s letter. The letter said that after repeatedly refusing to comply with a routine annual request from the archives for data on his staff?s classification of internal documents, the vice president?s office in 2004 blocked an on-site inspection of records that other agencies of the executive branch regularly go through. The National Archives is an executive branch department headed by a presidential appointee, and it is assigned to collect the data on classified documents under a presidential executive order. Its Information Security Oversight Office is the division that oversees classification and declassification. ?I know the vice president wants to operate with unprecedented secrecy,? Mr. Waxman said in an interview. ?But this is absurd. This order is designed to keep classified information safe. His argument is really that he?s not part of the executive branch, so he doesn?t have to comply.? A spokeswoman for Mr. Cheney, Megan McGinn, said, ?We?re confident that we?re conducting the office properly under the law.? She declined to elaborate. Other officials familiar with Mr. Cheney?s view said that he and his legal adviser, David S. Addington, did not believe that the executive order applied to the vice president?s office because it had a legislative status in the Constitution as well as an executive one. Other White House offices, including the National Security Council, routinely comply with the oversight requirements, according to Mr. Waxman?s office and outside experts. Tony Fratto, a White House spokesman, said last night, ?The White House complies with the executive order, including the National Security Council.? The dispute is far from the first to pit Mr. Cheney and Mr. Addington against outsiders seeking information, usually members of Congress or advocacy groups. Their position is generally based on strong assertions of presidential power and the importance of confidentiality, which Mr. Cheney has often argued was eroded by post-Watergate laws and the prying press. Mr. Waxman asserted in his letter and the interview that Mr. Cheney?s office should take the efforts of the National Archives especially seriously because it has had problems protecting secrets. He noted that I. Lewis Libby Jr., the vice president?s former chief of staff, was convicted of perjury and obstruction of justice for lying to a grand jury and the F.B.I. during an investigation of the leak of classified information, the status of Valerie Wilson, the wife of a Bush administration critic, as a Central Intelligence Agency officer. Mr. Waxman added that in May 2006 a former aide in Mr. Cheney?s office, Leandro Aragoncillo, pleaded guilty to passing classified information to plotters trying to overthrow the president of the Philippines. ?Your office may have the worst record in the executive branch for safeguarding classified information,? Mr. Waxman wrote to Mr. Cheney. In the tradition of Washington?s semantic dust-ups, this one might be described as a fight over what an ?entity? is. The executive order, last updated in 2003 and currently under revision, states that it applies to any ?entity within the executive branch that comes into the possession of classified information.? J. William Leonard, director of the oversight office, has argued in a series of letters to Mr. Addington that the vice president?s office is indeed such an entity. Mr. Leonard noted that previous vice presidents had complied with the request for data on documents classified and declassified, and that Mr. Cheney did so in 2001 and 2002. But starting in 2003, the vice president?s office began refusing to supply the information. In 2004, it blocked an on-site inspection by Mr. Leonard?s office that was routinely carried out across the government to check whether documents were being properly labeled and safely stored. Mr. Addington did not reply in writing to Mr. Leonard?s letters, according to officials familiar with their exchanges. But Mr. Addington stated in conversations that the vice president?s office was not an ?entity within the executive branch? because, under the Constitution, the vice president also plays a role in the legislative branch, as president of the Senate, able to cast a vote in the event of a tie. Mr. Waxman rejected that argument. ?He doesn?t have classified information because of his legislative function,? Mr. Waxman said of Mr. Cheney. ?It?s because of his executive function.? Mr. Cheney?s general resistance to complying with the oversight request was first reported last year by The Chicago Tribune. In January, Mr. Leonard wrote to Attorney General Alberto R. Gonzales asking that he resolve the question. Erik Ablin, a Justice Department spokesman, said last night, ?This matter is currently under review in the department.? Whatever the ultimate ruling, according to Mr. Waxman?s letter, the vice president?s office has already carried out ?possible retaliation? against the oversight office. As part of an interagency review of Executive Order 12958, Mr. Cheney?s office proposed eliminating appeals to the attorney general ? precisely the avenue Mr. Leonard was taking. According to Mr. Waxman?s investigation, the vice president?s staff also proposed abolishing the Information Security Oversight Office. The interagency group revising the executive order has rejected those proposals, Mr. Waxman said. Ms. McGinn, Mr. Cheney?s spokeswoman, declined to comment. Mr. Cheney?s penchant for secrecy has long been a striking feature of the Bush administration, beginning with his fight to keep confidential the identities of the energy industry officials who advised his task force on national energy policy in 2001. Mr. Cheney took that dispute to the Supreme Court and won. Steven Aftergood, who tracks government secrecy at the Federation of American Scientists and last year filed a complaint with the oversight office about Mr. Cheney?s noncompliance, said, ?This illustrates just how far the vice president will go to evade external oversight.? But David B. Rivkin, a Washington lawyer who served in Justice Department and White House posts in earlier Republican administrations, said Mr. Cheney had a valid point about the unusual status of the office he holds. ?The office of the vice president really is unique,? Mr. Rivkin said. ?It?s not an agency. It?s an extension of the vice president himself.? From rforno at infowarrior.org Fri Jun 22 11:42:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Jun 2007 07:42:13 -0400 Subject: [Infowarrior] - Proposed Amendment Would Ban All DVD Copying Message-ID: Proposed Amendment Would Ban All DVD Copying 06.20.07 http://www.pcmag.com/article2/0,1895,2148802,00.asp By Mark Hachman A proposed amendment to the current copy protection license governing DVDs would completely ban all DVD backups, and prevent DVD playback without the DVD disk being present inside the drive. The proposed amendment was made public in a letter sent by Michael Malcolm, the chief executive of Kaleidescape, a DVD jukebox company which successfully defeated a suit by the DVD Copy Control Association (DVD CCA) this past March. The proposed amendment is scheduled for a vote on Wednesday, according to Malcolm. A spokesman for the CCA said he was not aware of the proposed amendment, but added that he could not comment until the CCA had finished its deliberations. A spokeswoman for Kaleidescape said she understood that a final decision could take weeks, if not months. The amendment is currently being considered by the Content Protection Advisory Council (CPAC) of the DVD CCA. If enacted, it would become binding in 18 months from the date on which the CCA notified its licensees, which include DVD hardware and software manufacturers. The terms of the amendment, formally referred to as the "Unknown Specification Amendment," are just a paragraph long, and would basically eliminate DVD copying of any form, whether for the purposes of fair use or not. The amendment reads: "6.4. Certain Requirements for DVD Products. DVD Products, alone or in combination with other DVD Products, shall not be designed to descramble scrambled CSS Data when the DVD Disc containing such CSS Data and associated CSS Keys is not physically present in the DVD Player or DVD Drive (as applicable), and a DVD Product shall not be designed to make or direct the making of a persistent copy of CSS Data that has been descrambled from such DVD Disc by such DVD Product." The amendment was proposed by Chris Cookson of Warner Bros., Ben Carr of Walt Disney Studios, Jeffrey Lawrence of Intel, Gabe Beged-Dov of Hewlett-Packard, David Harshman of Toshiba, and Andy Parsons of Pioneer Electronics, according to Malcolm as well as the attached letter proposing the amendment, and signed by the legal counsel representing the signatories. To Malcolm, the proposed amendment was designed to put Kaleidescape out of business, and represented an unfair monopoly that should be broken up. The letter was addressed to several members of the Federal Trade Commission, key members of the U.S. Senate and House of Representatives, Department of Justice staffers, EU regulatory bodies, and the chief executives of the companies the amendment signatories are employed by, as well as industry executives like Microsoft chief executive Steve Ballmer. "The real purpose of this proposed amendment is to put Kaleidescape out of business by excluding the Kaleidescape System from the DVD playback devices authored by the CSS License Agreement," Malcolm wrote. "You should be aware before you vote on the proposed amendment that you expose yourself, your employer and the DVD CCA to serious and substantial antitrust liability if you vote for this amendment. Both state and federal laws outlaw anticompetitive conduct by businesses joining together to put a competitor out of business." The DVD CCA has previously tried twice to add "managed copy" provisions to its licensing agreement, and both times the vote has failed, according to reports. Managed copies would either transfer the CSS key to the recordable DVD, which would require an additional CSS "replicator" license, or else use what is called "pre-keyed" media, which would include the CSS key already as part of the disc structure. The proposed amendment would apparently add hardware restrictions to prevent DVD data from being descrambled and then copied. To date, that provision has been effectively enforced by litigation, which has effectively prevented mainstream software companies from copying or "backing up" DVD movies. A number of independent software developers, however, have published utilities or other applications for "ripping" DVD movies. The proposed amendment would also prohibit software manufacturers to create "virtual drives," running a DVD image from a hard drive. The previous Kaleidescape case touched upon the company's use of ripping a DVD to a large internal hard drive, and playing back the movie on demand without the need for a physical disk to be inserted into the drive. In the previous ruling settling the Kaleidescape-DVD CCA dispute, Judge Leslie C. Nichols of the Santa Clara Superior Court merely stated that the company had met its obligations to the CCA under its license agreement, without addressing the broader issue of fair use. Editor's Note: This story has been updated at 4:20 PM PDT with comments from both the DVD CCA as well as Kaleidescape. From rforno at infowarrior.org Sat Jun 23 03:13:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Jun 2007 23:13:00 -0400 Subject: [Infowarrior] - Photography Banned in Silver Spring, Maryland Message-ID: Photography Banned in Downtown Silver Spring, Maryland by Bill Adler | June 22, 2007 at 02:42 pm | http://www.nowpublic.com/photography_banned_downtown_silver_spring_maryland You're going to want to read the following two paragraphs twice because you're not going to believe them. "This past Tuesday I went to downtown Silver Spring, had lunch, and then took out my camera and standing on Ellsworth Avenue, I began taking shots of the buildings with the blue sky and clouds as a backdrop. Almost immediately, a security guard approached and told me 'there was no picture taking allowed in Downtown Silver Spring.' 'What do you mean?' I said, 'I am on a city street, in a public place -- taking pictures is a right that I have protected by the first amendment.' The guard told me to report to the management office. "There, Stacy Horan informed me that Downtown Silver Spring including Ellsworth Avenue is private property, not a public place, and subject to the rules of the Peterson Companies. They have a no photography policy to 'protect them from people who might want to use the photographs as part of a story in which they could write bad things about us.' And she told me that many of the chain stores in Downtown Silver Spring don't what their 'concepts' to be photographed for security reasons." It appears that this street, Ellswoth Avenue, in downtown Silver Spring, Maryland is, in fact, a private street. But when you peel back a layer, you find that actually it not pure private property, although the Peterson company is treating the street as private property. This part of downtown Silver Spring was developed using public and private money, and what the Peterson Company claims to be its property is actually owned by Montgomery County, and leased to the Peterson Company. As part of the lease agreement, Peterson has to allow the public to access Ellsworth Avenue, which is connected to city-owned streets on either end. What's happened in Silver Spring, Maryland is an example of what's happening all around the Washington, DC area: Police and security guards are claiming a right to bar photographers where no such law allows them to do that. And when the police and security guards aren't barring photography, they're asking photographers for identification and an explanation -- again without a law permitting them to stop a photographer and ask for identification. These events spurred Chip Py and Kate Mereand to form a Flickr group promoting photographer rights in Washington, DC, www.flickr.com/groups/dcphotorights. This is group where people can post photographs that "security" has tried to bar, and can discuss issues and problems about photography in the Washington, DC area. I asked Kate Mereand why she founded this group. She said: "I created DC Photo Rights in response to the numerous instances of harassment local area photographers have cited. I am an amateur photographer who has been shooting for about two years. I have found the DC amateur photographer society, especially through Flickr, to be a very supportive atmosphere. The city itself, however, seems to pose a constant challenge, especially to beginners. "The specific impetus was a photographer who was harassed for taking photos from the street in downtown Silver Spring, MD. This struck a chord with me. I live and work in Silver Spring, and I have been a supporter of the development projects in the downtown area. These projects have faced some resistance, and I was saddened to hear that the downtown area that I often defend is associated with this sort of behavior. "I am specifically interested, also, in the role that security guards at federal buildings play in this. Many incorrectly inform photographers that photos are illegal. While this is prevalent with security guards everywhere, I find it more disturbing when federal security guard do this; many people regard there claims of protecting national security interests more seriously. And of course, in a few cases, photos of federal buildings are not allowed. So this often leaves photographers, amateurs especially, on uncertain grounds where easy victims of harassment. "I think what is chilling now, however, is how often 'national security' and 'terrorist threats' are used as an excuse for illegal harassment and abuse. The most disturbing trend I see is when people are asked to present identification when they are not breaking any laws." She added, "Often in this situation photographers are made to feel like a perpetrator of a crime, while they are actually the ones being victimized." When the police ask for ID, they usually write down your information. When you're approached by the police, or even by a private security guard, and quizzed about what you're doing, that can be unnerving and upsetting. Why am I being questioned? What's going to happen next? Might I be arrested if I give the wrong answers? It's been said time and time again, to the point of becoming cliche: The world changed after 9/11. We have to accept new security restrictions. We have to be cautions, careful, questioning, even suspicious. But being stopped in the street for completely lawful activity is not only un-American, and possibly unlawful itself, but it's likely to be ineffective, even counter productive. Regarding photography as suspicious activity diverts valuable brain power away from thinking about real dangers. Besides, terrorists can photograph sites surreptitiously if they want. These are the issues that Kate Mereand and Chip Py's DC Photo Rights Flickr group is focusing on. A protest has been scheduled in Silver Spring on July 4th to draw attention to this issue. Photographers participating in the will be meeting at Ellsworth Avenue in Silver Spring, and then will walk and snap their cameras. More information about this demonstration can be found here. Disclosure: I've contributed photos to the DC Photo Rights Flickr group. From rforno at infowarrior.org Sat Jun 23 03:14:22 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Jun 2007 23:14:22 -0400 Subject: [Infowarrior] - Chicago Official: Run red lights, please - we need the $$ Message-ID: A Chicago pol wants you to run more red lights http://machinist.salon.com/blog/2007/06/22/red_light_alderman/index.html A Chicago alderman is looking to ban a new device that alerts drivers when they're approaching red-light cameras. His argument: The city needs money from people who speed through red lights. That's right -- in order to keep Chicago rolling in cash, greedy alderman Edward Burke would prefer that drivers run red lights, possibly injuring themselves or others. As he sees it, any device that "subverts" that pleasant, cash-generating scenario ought to be outlawed. The device in question is the Cobra XRS R9G, a traditional radar detector that also tracks the location of red-light cameras through GPS. The unit sells for $439, and Cobra will also offer it to manufacturers for preinstallation in new cars. Burke, though, thinks that anyone who uses such a system is undermining Chicago's fiscal future. The city has installed red-light cameras at 39 dangerous intersections, and plans to have 70 working by the end of the year. As drivers approach these hot spots, signs warn them that a camera is watching their every move. Still, more than a few numbskulls inevitably pass through, winning a $90 fine -- which contributed to almost $20 million in cash for the city last year. Chicago's Mayor Richard Daley -- like every other sane politician who advocates installing red-light cameras -- insists that the cameras' primary purpose is safety. Indeed, an early test of the system showed that accidents fell by 23 percent after cameras were installed at dangerous intersections. But Burke -- who says that two other aldermen, Isaac Carothers and Thomas Allen, will join him in pushing the ban -- put the lie to the safety-first agenda. Red-light violation money "is budgeted in our annual appropriation ordinance," he said, according to the Chicago Tribune. "That is why all these cameras are being installed. The reality is that people blow through these intersections and they are going to be caught and they are going to be fined. It has become a big revenue source, absolutely." He added: "I don't think the [city's] goal is to allow the motorist to subvert the system that we are spending so much money on." Got that? The "reality" is that people are going to blow through intersections. Sure, a device that warns people of an upcoming red-light camera could change that "reality" by forcing speedy drivers to obey the law. And, true, everyone says that forcing people to heed the lights is the very point of installing red-light cameras. But not really. If drivers obey the rules, you can't fine them. And if you can't fine people, what's the point of being an alderman? [Via the Chicago Tribune. From rforno at infowarrior.org Sat Jun 23 14:03:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 23 Jun 2007 10:03:27 -0400 Subject: [Infowarrior] - FW: VA Drivers Beware! In-Reply-To: Message-ID: (kind of local for many of you readers, and hence why I'm passing it along......rf) Hefty Fees In Store for Misbehaving Va. Drivers By Tom Jackman Washington Post Staff Writer Saturday, June 23, 2007; A01 Attention Virginians: The cost of bad driving is about to go up. Way up. Say you are driving 78 mph on the Capital Beltway and a state trooper tickets you for "reckless driving -- speeding 20 mph over." You will probably be fined $200 by the judge. But then you will receive a new, additional $1,050 fine from the Old Dominion, payable in three convenient installments. So convenient that you must pay the first one immediately, at the courthouse. First-time drunk driver? A $300 fine from the judge and a $2,250 fee from the commonwealth. Driving without a license? Maybe a $75 fine. Definitely a $900 fee from Virginia. As part of the plan to fund the annual $1 billion transportation package approved this year, state legislators endorsed a new set of "civil remedial fees" for all misdemeanor and felony traffic violations, such as speeding 20 mph above the limit, reckless driving and, in some cases, driving with faulty brakes. Drivers with points on their licenses -- a speeding ticket usually earns four points -- will be hit for $75 for every point above eight and $100 for having that many points in the first place. The new fees will go into effect July 1, and defense attorneys, prosecutors and judges expect chaos. Court clerks fear having to deal with angry hordes learning about the fees for the first time at the payment window. < - > http://www.washingtonpost.com/wp-dyn/content/article/2007/06/22/AR2007062201 781_pf.html From rforno at infowarrior.org Sat Jun 23 18:45:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 23 Jun 2007 14:45:53 -0400 Subject: [Infowarrior] - Privacy & E-Discovery: Don't Be Evil Message-ID: Don't Be Evil Mark Rasch http://www.securityfocus.com/columnists/447?ref=rss A series of developments raise the specter that remotely stored or created documents may be subject to subpoena or discovery all without the knowledge or consent of the document's creators. I have been playing around recently with Google's Documents and Spreadsheets. What Google documents and spreadsheets allows you to do is to create documents or spreadsheets (and soon probably presentations) completely online using no software other than a browser and an internet connection. No Microsoft Word, no WordPerfect, no Excel, nothing. All well and good. AFTER you create the document, however, you are supposed to store it on a Google server. Indeed, with virtually unlimited storage, a company could theoretically store all of its documents on Google's servers - all with nothing more than a GMail user ID and password for security. What is even better, all of your documents and spreadsheets would be automatically indexed using Google'software, making it easy for you to locate your documents no matter where you are - as long as you have an Internet connection and can remember your GMail password. Very convenient, but would you do it? Put aside the security aspects of remote storage of documents. Remember, irrespective of the amount of physical and logical security on the Google servers, ultimately your documents are going to be only as secure as your GMail password - and if you store your password somewhere, maybe not even that secure. I am not even sure that you can encrypt the documents you create on Google documents and spreadsheets - at least not with the software provided by Google - and encryption kind of defeats the purpose of indexing and quickly finding relevant documents. Add to the security issues the host of legal issues raised by remote storage generally. Whenever records or other evidence is housed with a third party, you have not only increased the likelihood of data access, you have created a new entity with physical or logical possession of your records. Who "owns" your records? Who has a right to access them? Who has "possession" of them? Who has "control" over them? Who must produce them if there is a subpoena, search warrant or other court order? Suffice it to say, when you lose "possession" of the documents, you lose control over what happens to them. Possession, Custody and Control One of the biggest problems in the area of computer security is the fact that the law doesn't really distinguish between physical property and intellectual property. The same law which relates to, for example the possession of the murder weapon, also relates to the possession of information about the murderer. Intellectual property is just property. If you "have" it, you can be compelled - through various legal processes - to give it up, both in civil litigation, criminal investigations, administrative hearings, internal reviews, etc. Thus, the same law that allows law enforcement agents to get information about you with a court order or subpoena would allow a husband or wife to get the same information in divorce litigation. Unless the information is privileged (and in many cases even if it is) the entity that "holds" the information must pony it up. The law recognizes that an entity has a legal obligation to produce any materials within its "possession, custody or control." Such possession, custody or control can be physical possession (the gun in the footlocker), legal authority to produce, or in this case, "virtual" possession. So whenever you entrust your information to some third party, you give up control over the information, and give up to some extent "possession" of that information. For some kinds of records this loss of control is inevitable. When you surf the web, you must transmit information about yourself through your browser to the web. When you send or receive e-mail, the information necessarily travels through some Internet Service Provider somewhere. Sure you can encrypt some information - you can use anonymizers to try to hide what you are doing, but in any event the information necessarily travels outside of your control. The anonymizer or "holder" of the information can be compelled to give up the information in the face of a subpoena or court order. There is nothing fundamentally new about any of this. What is new is the fact that there is so much information about us held in the hands of third parties which never existed before. I am not talking about weblogs or Myspace postings that I voluntarily put out. Every book I read online, every song I download, every video or radio show I stream, every article I peruse creates a third party record which can be discovered. What makes the Google documents and spreadsheets even more insidious is the fact that the stored records are not Google's records. You can at least make a plausible argument that my browsing activity, like my bank records, my phone records, my college transcripts, etc., are records of a third party (my bank, my phone company, my college) about me. That doesn't mean these records are personal, private or sensitive. Indeed, in the United States some of these records are entitled to some measure of legal protection from compelled disclosure. My medical records are actually the hospital or physician's records about me, but I have a privacy interest in them. On the other hand, the hospital is required to turn them over if, for example I have extremely drug resistant Tuberculosis What is worse, if the hospital commits a crime or fraud (say, overbills the insurer for my treatment) the government can mandate that the hospital turn over my psychiatric records to be introduced into some court somewhere. What is worse, there is no requirement that the holder of these records about me be compelled to even tell me that they have been asked for or been compelled to produce these records unless they fall within a class of records that has separate legal protection. By Google Documents is different. These aren't Google's documents about me. They are MY records stored on Google's server. They can be personal like diary entries, they can be privileged attorney-client communications or research. They can be anything, but they are clearly mine. My intellectual property,.my copyright, my thoughts or musings - not Google's. The same is true for my e-mails, voicemails, or the contents of my VOIP calls. So what happens when Google gets a subpoena or court order for my documents and spreadsheets - whether in a civil or a criminal case? As noted, the law generally requires an entity to produce any "evidence" - including documents and records - within its possession, custody or control. So my records are in the "possession" of Google in the same way that, if I left a smoking gun in your living room, the cops could either search your house for the gun, or get a subpoena compelling you to give up the gun. Physical Location But wait. These are personal records. They are "locked" in the sense that they are password protected, and only you have the key. Does the physical location of the virtual information that the documents represent really matter? It seems to. If your records are physically with a third party, they probably have "possession" of them for legal purposes, and therefore can be compelled to produce them, despite the fact that the records are virtual. The concept of location remains important in the law, but not so much in technology. Thus, when a Cablevision, a US cable TV company allowed its customers to digitally record shows for later playback, the court found it critically important that the recorded programs were stored remotely on a hard drive on Cablevision's servers (a copyright infringement) as opposed to being stored locally on a Cablevision hard drive at the customer's home. Just because the records are personal doesn't necessarily mean that the temporary custodian can't be compelled to produce them. The law has long recognized that by giving up the records to someone else, you are taking the risk that they will be turned over. Thus, the U.S. Supreme Court found that things like cancelled checks and other records can be subpoenaed from a bank without notice to the customer because "the issuance of a subpoena to a third party to obtain the records of that party does not violate the rights of a defendant." Similarly, testing the contents of a package damaged by a private freight company for drugs didn't violate the package owner's rights, because he took the risk that the freight carrier would disclose information to the government. The Supreme Court has also made it clear that the subject or target of an investigation is not required to be notified when their records are subpoenaed or otherwise demanded from a third party, noting that "When a person communicates information to a third party even on the understanding that the communication is confidential, he cannot object if the third party conveys that information or records thereof to law enforcement authorities." Now let's make it even more complicated. We already have the issues of physical location, virtual location, ownership, and privacy interests to deal with. To this we can add "ability and authority to access." Is the mere "ability" to access a document or record enough to mean that you have "possession, custody or control" of the record for the purposes of being compelled to produce that record? If I have your Gmail account ID and password, can I be compelled to produce your records? What if I regularly access your GMail documents and spreadsheets account? What if I have the authority to do so? At what point do I take possession of these records? On the other side, if you store your records remotely through Google Documents and Spreadsheets, can you avoid having to produce them pursuant to a subpoena or court order merely be claiming (correctly) that you don't "possess" them inasmuch as they are somewhere else? I don't think so. The issue isn't "ownership" either, as you can be compelled to produce ANY records or objects in your possession custody or control - not just ones you own. Confused? Wait... there's more. Add to this mix the issues related to sovereignty, jurisdiction and venue. Different countries have different privacy laws, and different laws related to compelled production of information or documents in both civil and criminal cases. Can a US court order the production of records of a foreign company merely because they are stored on a server in Menlo Park, California? Can they reach over to compel production of records in a foreign country merely because a terminal in the U.S. can be used to "log in" to get them? Can an affiliate be compelled to produce records of a foreign domiciled affiliate merely because it has the ability to obtain those records? While the cases are going to be fact dependent, the general rule the U.S. courts are likely to follow will be, if you can produce, you must produce. What is the big deal if Google has to give up records you store remotely? I mean, after all, its just a matter of whether the subpoena goes to Google or goes to you. After all, if YOU were subpoenaed for the same records (whether stored at Google or elsewhere) you would have to produce them. In the end, its all the same, no? Not exactly. You see, increasingly not only are YOUR documents and records (or documents and records about you) being compelled to be produced, but - at least in criminal cases - the government is more or less routinely demanding of ISP's or other third party custodians that they not tell the person whose records are being sought that the records are being produced. And there is little in the law that mandates that the third party tell you that they are ponying up your records. In the case of "traditional" document storage facilities - you know, the kind where you box everything up and they store them - you have a contract with the storage facility that says that they will tell you if they get a subpoena. But then again, you are paying them every month for the storage. And they want to keep you happy. Even then, if a court orders that they NOT tell you, the court order trumps the contract. In the case of Google documents and spreadsheets, there is, as far as I can tell, no similar requirement. Sure, they have Terms of Service and a Privacy Policy, but the privacy policy specifically says that they can turn over records (doesn't say whose) if there is a court order or other legal process. While they want to keep their customers happy, lets face it, you aren't writing them a check every month. A case coming out of Cincinnati, Ohio on June 18, 2007 is illustrative. The federal government wanted to read the Yahoo! and NuVox (an ISP) e-mails sent and received by Stephen Warshak, the owner and operator of a company that sold nutritional supplements. The government was investigating Warshak for allegations of fraud. The government got a court order under the Stored Communications Act, 18 U.S.C. ? 2703, requiring the ISP's to pony up the contents of Warshak's emails, and further prohibiting the ISP from "disclos[ing] the existence of the Application or this Order of the Court, or the existence of this investigation, to the listed customer or to any person unless and until authorized to do so by the Court." The magistrate further ordered that "the notification by the government otherwise required under 18 U.S.C. ? 2703(b)(1)(B) be delayed for ninety days." A year later, Warshak learned about the fact that the government had been reading his emails, and applied for a court order to prevent any future reading of his emails without at least letting him know. The government argued that Washak had no standing or ability to challenge the subpoena, since it called for records that were not HIS, but rather those of the ISP. By "giving" his records to the ISP, he had, according to the government, forfeited his privacy rights. The court disagreed. It properly noted that, while a mere subpoena could be used to get access to non-personal records like billing records or usage records, a search warrant would be required to get the contents of communications from the ISP. While a mere subpoena might reach the contents of the records if, for example, you subpoenaed a party to the communication, the ISP merely was a "holder" of the records, and therefore a search warrant was required to access the records. The court stated: . . . the government could not get around the privacy interest attached to a private letter by simply subpoenaing the postal service with no showing of probable cause, because . . . postal workers would not be expected to read the letter in the normal course of business. . . . Similarly, a bank customer maintains an expectation of privacy in a safe deposit box to which the bank lacks access (as opposed to bank records, like checks or account statements) and the government could not compel disclosure of the contents of the safe deposit box only by subpoenaing the bank. The court went on to address the privacy interests of the users of commercial ISP's noting that: . . . individuals maintain a reasonable expectation of privacy in e-mails that are stored with, or sent or received through, a commercial ISP. The content of e-mail is something that the user "seeks to preserve as private," and therefore "may be constitutionally protected." . . . It goes without saying that like the telephone earlier in our history, e-mail is an ever-increasing mode of private communication, and protecting shared communications through this medium is as important to Fourth Amendment principles today as protecting telephone conversations has been in the past. The government also argued that, since the ISP's Terms of Use give it the right to read e-mails for certain purposes, (such as to comply with court orders or screen for malicious code) the user could not possibly have expected their email to be private - an argument the court soundly rejected. In the end, the Warshak court effectively told the government that it could not merely subpoena the ISP - a third party custodian - for the personal and private records of its customer (communications) except under certain circumstances. It could get the records: (1) if the government obtains a search warrant under the Fourth Amendment, based on probable cause and in compliance with the particularity requirement; (2) if the government provides notice to the account holder in seeking an SCA order, according him the same judicial review he would be allowed were he to be subpoenaed; or (3) if the government can show specific, articulable facts, demonstrating that an ISP or other entity has complete access to the e-mails in question and that it actually relies on and utilizes this access in the normal course of business, sufficient to establish that the user has waived his expectation of privacy with respect to that entity, in which case compelled disclosure may occur if that entity is afforded notice and an opportunity to be heard. In effect, the Court said that the ISP was standing in Warshak's shoes, and therefore Warshak had to be given a chance to object to the subpoena. Good idea. But remember, if the government gets a SEARCH WARRANT (as opposed to a subpoena) it can search for and seize your Google Documents and Spreadsheets, and can likewise get a court order that the ISP not tell you about it. In fact, the rules of criminal procedure in the United States, Federal Rules of Criminal Procedure 41(f)(1)(C) merely require that an inventory of what has been seized be left with the "person from whom, or from whose premises, the property was taken" - the ISP, not the person whose records were taken. Again, physical presence trumps privacy interests. What we need to do is establish rules similar to those established by the Court in Warshak. While location of records, and the nature of records is important, we need to look at the privacy interests involved. By storing my documents at Google instead of at my own server, have I really intended to give up privacy interests? Should we not create the concept of a "temporary custodian" someone who holds OUR personal information FOR US for a brief period of time, but who has to notify US if there is a demand for OUR records? I think a good hard look at substance over form is in order here. From rforno at infowarrior.org Sun Jun 24 16:23:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Jun 2007 12:23:13 -0400 Subject: [Infowarrior] - DRM may be why Microsoft flip-flopped on Vista virtualization Message-ID: Analysis: DRM may be why Microsoft flip-flopped on Vista virtualization Eric Lai http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9025466&pageNumber=1 June 22, 2007 (Computerworld) Conspiracy theorists may link Microsoft Corp.'s abrupt decision late Tuesday not to remove restrictions on consumers virtualizing its Vista operating system to a Department of Justice agreement announced the same day or to a desire to jerk Intel Mac users around. But the actual reason may be found in three little letters: DRM. Vista's new digital rights management features enable movies or music files to be password-protected or made accessible only to authorized users for opening, viewing or changing. Whether most users would call DRM a feature, however, is questionable. A close cousin to DRM technology, known as Windows Rights Management Services (which in turn is part of a larger category of technologies called Enterprise Digital Rights Management, or ERM), can help business users password-protect key documents and files, or assign the ability to open them only to trusted co-workers. But DRM's main purpose seems to be to help the Warner Bros. and Sony Musics of the world keep consumers from sharing movies and music. The entertainment industry claims that almost all blocked sharing is illegal; digital rights watchdogs argue that legitimate consumer uses are also blocked by such technology. DRM is capable of blocking both overt piracy -- distributing movies via BitTorrent and other peer-to-peer networks -- as well as other common scenarios that most consumers do not consider piracy, such as moving legally acquired music files from their desktop PCs to their notebook computers. "It's like when you batten down the hatches on a ship in a storm," said Aram Sinnreich, an analyst at Radar Research in Los Angeles. "Vista wants to batten down every software or multimedia bit so that they don't go somewhere the creator doesn't want it to go." Versions out of control? The problem is that virtualization, by accident, appears to break most of Vista's DRM and antipiracy schemes. Virtualization software -- think VMware Inc.'s VMplayer, Microsoft's Virtual PC or Parallels Inc.'s Parallels Desktop -- allow computer users to boot one operating system but run a second one as a "guest" at the same time. That can allow a user who has booted Windows Vista to load XP-only applications in a guest XP operating system, also known as a virtual machine (VM). Or it can let a user with an Intel Mac boot up the OS X operating system but also run Windows Vista or XP applications at the same time. Microsoft's original plan was to announce on Tuesday changes to the contracts, known as end-user licensing agreements (EULA), for its Vista Home Basic and Home Premium editions. Those changes would permit buyers who use those editions to create VMs. The change was purely to the EULA; there is no technical limitation preventing knowledgeable users from virtualizing retail versions of Home Basic or Home Premium. Microsoft allows only full retail versions of Vista Business or Vista Ultimate (as well as Vista Enterprise for big corporations) to run as virtual guests of a host PC. Vista Business and Ultimate cost $299 and $399, respectively. The simple change in Microsoft's license for the two cheaper editions -- Home Basic Edition and Home Premium Edition cost $199 and $239, respectively -- would have saved customers at least $60 and up to $200. In addition, Microsoft planned to permit the use of DRM, IRM (Information Rights Management) and Vista's storage encryption technology, BitLocker, in a VM for any version of Vista. Besides boosting flagging perceptions of Microsoft's overall virtualization strategy, the move would have made Vista virtualization much more attractive to a key and growing segment -- Intel Mac owners who want to run Windows software. But at the last moment, Microsoft did a 360. Its explanation was terse: "Microsoft has reassessed the Windows virtualization policy and decided that we will maintain the original policy announced last Fall," said a spokesman in an e-mailed statement. A perfect picture (of cross-purposes) When a user creates a VM, the virtualization software takes a snapshot of the PC's hardware and then creates an exact copy of how that works in memory, according to DeGroot. This ability to perfectly simulate the way the original PC ran (albeit more slowly than the original) is why VMs are such a useful tool. But a VM, once created, can be copied hundreds or thousands of times and ported over to radically different PCs without triggering the antipiracy and DRM schemes of most software or multimedia files, including Vista's. Those schemes raise red flags only if they realize they've been moved to another computer, DeGroot said. Analysts say what probably happened behind the scenes is that Microsoft or one of its media partners decided at the last moment that encouraging consumers to use virtualization would, at least symbolically, be at odds with its attempts to enforce DRM. "Microsoft doesn't want the music labels, TV networks and movie studios to come back to them and say that you are enabling this ability to move content around," said Mike McGuire, an analyst at Gartner Inc. Microsoft has more at stake than other high-tech firms, McGuire said, what with its partnerships with NBC, its Xbox gaming platform, its Media Center PCs and even its Zune music player. "It's a very fine line that Redmond has to walk," McGuire said. "They have to answer to these companies if they want to have any hope of making the PC and their software the de facto usage model for multimedia." The problem is that even if Microsoft -- and U.S. law -- insist it is still illegal to use virtualization to enable the sharing of software or movies or music, its antipiracy technology is powerless to stop it. "It's absurd to expect that something demanded by a EULA is followed when technology and common practice permit otherwise," Sinnreich said. "Microsoft is banking on ongoing consumer naivete and goodwill. There will be a backlash against DRM in some not-so-distant future." Would anyone have bothered? Will encouraging consumer virtualization result in a major uptick in piracy? Not anytime soon, say analysts. One of the main obstacles is the massive size of VMs. Because they include the operating system, the simulated hardware, as well as the software and/or multimedia files, VMs can easily run in the tens of gigabytes, making them hard to exchange over the Internet. But DeGroot says that problem can be partly overcome with .zip and compression tools -- some, ironically, even supplied by Microsoft itself. "It's the kind of idea that is out there among the enthusiast community for file sharing and remixing, but it's not part of the standard arsenal for the average college student," Sinnreich said. Gartner's McGuire agrees: "Unless virtualization is more convenient and reliable than P2P, then no one is going to go to the trouble." From rforno at infowarrior.org Sun Jun 24 22:32:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Jun 2007 18:32:05 -0400 Subject: [Infowarrior] - Librarians Describe Life Under An FBI Gag Order Message-ID: Librarians Describe Life Under An FBI Gag Order By Luke O'Brien EmailJune 24, 2007 | 2:22:57 http://blog.wired.com/27bstroke6/2007/06/librarians-desc.html Poster2thumb Life in an FBI muzzle is no fun. Two Connecticut librarians on Sunday described what it was like to be slapped with an FBI national security letter and accompanying gag order. It sounded like a spy movie or, gulp, something that happens under a repressive foreign government. Peter Chase and Barbara Bailey, librarians in Plainville, Connecticut, received an NSL to turn over computer records in their library on July 13, 2005. Unlike a suspected thousands of other people around the country, Chase, Bailey and two of their colleagues stood up to the Man and refused to comply, convinced that the feds had no right to intrude on anyone's privacy without a court order (NSLs don't require a judge's approval). That's when things turned ugly. The four librarians under the gag order weren't allowed to talk to each other by phone. So they e-mailed. Later, they weren't allowed to e-mail. After the ACLU took on the case and it went to court in Bridgeport, the librarians were not allowed to attend their own hearing. Instead, they had to watch it on closed circuit TV from a locked courtroom in Hartford, 60 miles away. "Our presence in the courtroom was declared a threat to national security," Chase said. Forced to make information public as the case moved forward, the government resorted to one of its favorite tactics: releasing heavily redacted versions of documents while outing anyone who didn't roll over for Uncle Sam. In this case, they named Chase, despite the fact that he was legally compelled to keep his own identity secret. Then the phone started ringing. Pesky reporters wanted info. One day, the AP called Chase's house and got his son, Sam, on the phone. When Chase got home, he took one look at his son's face. "I could tell something was very wrong," he said. Sam told him the AP had called saying that Chase was being investigated by the FBI. "What's going on?" Sam asked his father. Chase couldn't tell him. For months, he worried about what his son must have been thinking. As the case moved forward, the librarians had to resort to regular duplicity with co-workers and family -- mysteriously disappearing from work without an explanation, secretly convening in subway stations, dancing around the truth for months. The ACLU even advised Chase to move to a safehouse. After the Bridgeport court ruled that the librarians constitutional rights had been violated, the government appealed the decision to U.S. District Court in Manhattan. Around the same time, the Congressional spin machine kicked into overdrive. Rep. Jim Sensenbrenner (R-Wisconsin) wrote an op-ed in USA Today that said: "Zero. That's the number of substantiated USA Patriot Act civil liberties violations. Extensive congressional oversight found no violations. Six reports by the Justice Department's independent inspector general, who is required to solicit and investigate any allegations of abuse, found no violations." Once President Bush reauthorized the Patriot Act, the FBI lifted the librarians' gag order. "By withdrawing the gag order before the court had made a decision, they withdrew the case from scrutiny," Chase said. This eliminated the possibility that the NSL provisions would be struck down. Today, the Connecticut librarians are the only ones who can talk about life with an NSL gag, despite the likelihood that there are hundreds if not thousands of other similar stories out there. "Everyone else who would speak about is subject to a five year prison term," Chase said. The prison term for violating the gag order was added to the reauthorized Patriot Act. From rforno at infowarrior.org Sun Jun 24 22:34:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Jun 2007 18:34:38 -0400 Subject: [Infowarrior] - FBI to restrict student freedoms Message-ID: FBI to restrict student freedoms Submitted by Canada IFP on Sun, 2007-06-24 06:58.Americas | United States | News http://pressesc.com/01182668252_espionage_indicators US university students will not be able to work late at the campus, travel abroad, show interest in their colleagues' work, have friends outside the United States, engage in independent research, or make extra money without the prior consent of the authorities, according to a set of guidelines given to administrators by the FBI. Federal agents are visiting some of the New England's top universities, including MIT, Boston College, and the University of Massachusetts, to warn university heads about the dangers of foreign spies and terrorists stealing sensitive academic research. FBI is offering to brief faculty, students and staff on what it calls "espionage indicators" aimed at identifying foreign agents. Unexplained affluence, failing to report overseas travel, showing unusual interest in information outside the job scope, keeping unusual work hours, unreported contacts with foreign nationals, unreported contact with foreign government, military, or intelligence officials, attempting to gain new accesses without the need to know, and unexplained absences are all considered potential espionage indicators. Faculty, staff and students are encouraged to monitor their colleagues for signs of suspicious behaviour and report any concerns to the FBI or the military. "What we're most concerned about are those things that are not classified being developed by MIT [Massachusetts Institute of Technology], Worcester Polytech [Worcester Polytechnic Institute] and other universities," Warren Bamford, special agent in charge of the FBI's Boston office, told the Boston Herald. "It's to make sure these institutions receive training...[on] what spies look for. There are hundreds of projects going on that could be useful to a foreign power." "My understanding is that what the FBI is proposing is not illegal, but it does raise questions about the chilling effect in regard to academia,"Chris Ott, Communications Manager of the ACLU of Massachusetts told WSWS. "What will it mean about feeling free to pursue information? People on the campuses will be afraid to ask questions or take on the investigation of certain areas, say, for example, nuclear energy. " University administrators have expressed their appreciation of FBI efforts. "It was a very nice offer," Robert A. Weygand, vice president for administration and a former Rhode Island congressman told the Boston Herald. "We are taking it under consideration." Last year the FBI initiated the College and University Security Effort (CAUSE), in order to establish an "alliance" between the Federal agency and academic institutions. According to the FBI, through CAUSE, Special Agents in charge meet with the heads of local colleges to discuss national security issues and to share information and ideas. From rforno at infowarrior.org Mon Jun 25 14:10:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Jun 2007 10:10:38 -0400 Subject: [Infowarrior] - FBI issues *another* SCUBA Diver Alert Message-ID: As a (somewhat new) diver I find hysterical that many of the 'combat swimmer' skills they cite as possible signs of 'nefarious activity' are taught as basic diving skills to ALL divers, and are requisite skills taught in such specialties like underwater navigation, deep diving, search and recovery, and more, to include Diver Propulsion Vehicle training that's become so popular for recreational divers in recent years. *facepalm* I'm beyond amused. This is absobleepinlutely pathetic. -rick FBI Issues Scuba Industry Alert Over Requests For Specialized Training, 'Nefarious Activity' By Underwatertimes.com News Service http://www.underwatertimes.com/print.php?article_id=64810251370 The FBI issues an advisory for the scuba industry to be on the alert for possible 'nefarious activity' Washington, D.C. (2007-06-22 16:51:45 EST) The purpose of this advisory is to provide situational awareness to the scuba industry regarding behavior that may indicate an individual(s) is involved in nefarious activity. The following threat indicators, taken in isolation, generally reflect legitimate recreational and commercial activities. In combination with other information, they can indicate possible links to criminal behavior. Please note, the below indicators are not an all inclusive list, these indicators represent a baseline that could possibly indicate suspicious behavior. Training Indicators Requests for specialty training, including odd inquiries that are inconsistent with recreational diving. These may include: Requests to dive in murky water or sewer pipes. Inquires about procedures such as diver towing. Requests to learn advanced skills associated with combat swimming, including: Use of re-breathers and diver propulsion vehicles (DPVs). Deep diving. Conducting kick counts. Receiving extra navigation training. Requests for advanced diver training by applicants from countries where diving is not a common recreational activity. Similarly, training sponsored by groups or agencies such as religious organizations, cults, associations, or charitable agencies not normally associated with diving. Potentially Suspicious Equipment Purchases or Rentals Volume purchasing inquires related to Swimmer Delivery Vehicles (SDVs) and Diver Propulsion Vehicles (DPVs). SDVs are very expensive vehicles normally used for specialized military purposes, and usually are not available to recreational divers. Efforts to purchase DPVs, the more commonly available civilian counterpart to SDVs, could be associated with extending the range or payload capacity or a combat swimmer team. Other Indicators: Paying cash for diving instruction. Refusal or reluctance to provide personal information. Recipients are requested to report suspicious or criminal activity to their local FBI Office. From rforno at infowarrior.org Wed Jun 27 17:01:42 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Jun 2007 13:01:42 -0400 Subject: [Infowarrior] - Banks demand a look inside customer PCs in fraud cases Message-ID: Banks demand a look inside customer PCs in fraud cases Customers could be liable for any loss resulting from unauthorised internet banking transactions if their protective software is not up to date By Stephen Bell Wellington | Monday, 25 June, 2007 http://computerworld.co.nz/news.nsf/news/FDA3CE33D73B5B82CC257302000B0EE8 Banks are seeking access to customer PCs used for online banking transactions to verify whether they have enough security protection. Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. The code, issued by the Bankers? Association last week after lengthy drafting and consultation, now has a new section dealing with internet banking. Liability for any loss resulting from unauthorised internet banking transactions rests with the customer if they have ?used a computer or device that does not have appropriate protective software and operating system installed and up-to-date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and anti-spam software on [the] computer, are up-to-date.? The code also adds: ?We reserve the right to request access to your computer or device in order to verify that you have taken all reasonable steps to protect your computer or device and safeguard your secure information in accordance with this code. ?If you refuse our request for access then we may refuse your claim.? InternetNZ was still reviewing the new code, last week, executive director Keith Davidson told Computerworld. ?In general terms, InternetNZ has been encouraging all internet users to be more security concious, especially ? to use up-to-date virus checkers, spyware deletion tools and a robust firewall,? Davidson says. ?The new code now places a clear obligation on users to comply with some pragmatic security requirements, which does seem appropriate. If fraud continues unabated, then undoubtedly banks would need to increase fees to cover the costs of fraud,? he says, so increasing security awareness and compliance in advance is probably the better tactic for both banks and their customers. ?Bank customers who are unhappy with the new rules may choose to dispense with electronic banking altogether, and return to dealing with tellers at the bank. But it seems that electronic banking and in particular internet banking has become the convenient choice for consumers,? Davidson says. The code also warns users that they could be liable for any loss if they have chosen an obvious PIN or password, such as a consecutive sequence of numbers, a birth date or a pet?s name; disclosed a PIN or password to a third party or kept a ?written or electronic record? of it. Similar warnings are already included in the section that deals with ATM and PINs for Eftpos that was issued in 2002. There is nothing in this clause allowing an electronic record to be held in a password-protected cache ? a facility provided by some commercial security applications. For their part, the banks undertake to provide information on their websites about appropriate tools and services for ensuring security, and to tell customers where they can find this information when they sign up for internet banking. ?One issue we have raised with the Bankers Association in the past is that banks should not initiate email contact with their customers,? Davidson says. The code allows banks to use unsolicited email among other media to advise of changes in their arrangements with the customer, but Davidson says they should only utilise their web-based mail systems. ?It is hardly surprising that some people fall victim to phishing email scams when banks use email as a normal method of communication, and therefore email can be perceived as a valid communication by end users,? he says. From rforno at infowarrior.org Thu Jun 28 11:41:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Jun 2007 07:41:09 -0400 Subject: [Infowarrior] - Senate takes step away from Real ID Message-ID: Senate takes step away from Real ID By Declan McCullagh http://news.com.com/Senate+takes+step+away+from+Real+ID/2100-7348_3-6193735. html Story last modified Wed Jun 27 19:43:08 PDT 2007 The U.S. Senate took a preliminary step on Wednesday toward reining in the controversial Real ID Act, which is scheduled to become America's first federal identification card in a few years. During Wednesday's floor debate over a massive immigration bill, Real ID foes managed to preserve an amendment to prohibit the forthcoming identification card from being used for mandatory employment verification, signaling that the political winds have shifted from when the law was overwhelmingly enacted two years ago. The anti-Real ID amendment is backed by two Montana Democrats, Max Baucus and Jon Tester, who say the digital ID cards represent an unreasonable government intrusion into Americans' private lives. In April, Montana became one of the states that has voted to reject Real ID. "This was a real victory for Montana and the American people," Tester said, after the Senate vote to kill their amendment failed to muster a majority. The unsuccessful vote to table it was 45-52. The Real ID Act says that, starting on May 11, 2008, Americans will need a federally-approved ID card to travel on an airplane, open a bank account, collect Social Security payments or take advantage of nearly any government service. States must conduct checks of their citizens' identification papers, and driver's licenses may have to be reissued to comply with Homeland Security requirements. (States that agree in advance to abide by the rules have until 2013 to comply.) The immigration bill (Word document), which is backed by the Bush administration and has drawn the ire of many conservatives, requires employers to demand Real ID cards of new hires starting in 2013. It says that "no driver's license or state identity card may be accepted if it does not comply with the Real ID Act." It also would try to siphon off opposition on privacy or federalism grounds from state legislators by offering fat checks--$1.5 billion over five years--with funds coming from the U.S. Treasury. Baucus' and Tester's amendment (PDF) deletes the requirement for employer ID verification and says that "no federal funds may be provided" to states to create such a system. Tim Sparapani, the ACLU's legislative counsel, called the vote a "victory for privacy and a rejection of building an immigration system on a faulty foundation, which was the Real ID Act." "The way the bill was written," Sparapani said, "it should be seen as a Hail Mary pass to save Real ID from the scrap heap." A political sea change? Procedurally speaking, the vote was merely a preliminary one. The Baucus-Tester amendment itself still awaits a vote--and even if it is glued onto a successful immigration bill or if the immigration bill dies a second time, the underlying Real ID framework and deadlines remain in place. That framework is estimated to cost $23.1 billion, according to the Department of Homeland Security, and could include Americans outfitted with radio frequency ID, or RFID, chips on the cards (the idea is being considered but is not final). Personal data that's on the back of the card in a two-dimensional bar code will not be encrypted because of "operational complexity," meaning any business or government agency that scans the information could record it in a database. Now on News.com Wardens of the Web Newsmaker: The pros and cons of iPhone security NASA's new objective: Twitter and Facebook Extra: IBM creates world's most powerful computer Politically speaking, though, Wednesday's vote could be a turning point in the national debate over Real ID. It indicates that a majority of senators are willing to curb the controversial system, which has already led to a kind of grassroots rebellion among the states. The ACLU, which runs Realnightmare.org, says that 15 states have enacted an anti-Real ID measure, 10 more have had such legislation approved by at least one chamber, and 8 more have had it introduced in the legislature. Homeland Security officials have defended Real ID as a way to limit illegal immigrants and to thwart terrorists from obtaining driver's licenses. Although some supporters exist in the U.S. Congress, key Democrats have said the law--enacted with minimal debate as part of an emergency Iraq war spending bill--needs to be reformed. Other amendments (text document) to the immigration bill could affect any final vote on the legislation. One amendment, backed by senators Max Baucus (D), Charles Grassley (R) and Barack Obama (D), was nixed on Wednesday. It would have rewritten the employment verification system and provided more due process protections for American workers. CNET News.com's Anne Broache contributed to this report From rforno at infowarrior.org Thu Jun 28 11:50:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Jun 2007 07:50:33 -0400 Subject: [Infowarrior] - PDF Spam Outbreak Message-ID: (I've seen this myself recently and can confirm it's "noticeable increase" on the Net........rf) PDF Spam Outbreak Tuesday June 26, 2007 at 8:44 am CST http://www.avertlabs.com/research/blog/index.php/2007/06/26/pdf-spam-outbrea k/ A large ?pump-and-dump? stock spam campaign is underway, but rather than including the content of the spam in an image file, this campaign includes the spam content within a .PDF file. The stock spam is believed to be sent from Stration infected computers, as this spam campaign closely followed a new W32/Stration worm mass-mailing which contained a number of .PDF files, and Stration has been associated with pump and dump spam in the past. The current spam contains one or more .PDF files, has a randomly generated subject line and sender name, and a blank message body. The .PDF files contain images which look very similar to previous image based stock spam. PDF Image spam The appearance of PDF-based spam was predicted by AVERT in the article ?Email Spam Plague Persists? in the latest SAGE report, as .PDF files can be more easily automated than other document formats. This prediction appears to be holding true, and as .GIF based image spam continues to decline we expect spammers will continue to try similar methods of sending image based spam. < - > ....which means, as Mary Landesman writes at About.Com, "It turns out that pump and dump stock scammers are turning to PDFs because sending spam as an image file makes it easier for spam filters to stop the unwanted mail. On the one hand, PDF spam is kind of nice because now I can just delete the email without ever having to so much as see the contents. But the darkside is, the spam is now just that much bigger and could tip the balance if your mail account has a low waterline. As a .GIF, the pump and dump image would have weighed in at about 8k tops. But as a PDF it swells to 3x the size because, well, that's what PDFs do." From rforno at infowarrior.org Thu Jun 28 12:32:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Jun 2007 08:32:25 -0400 Subject: [Infowarrior] - MPAA: Links to stuff we don't like must be illegal Message-ID: MPAA going after link-only sites.....because it's far more easier to go after the index than actually FIND the allegedly-pirated material itself. http://www.boingboing.net/2007/06/27/mpaa_sues_guerilla_v.html It really comes down to the MPAA being lazy in its investigations and taking a sledgehammer approach to dealing with things they don't approve of. So by that logic, Microsoft could go after any site that links to Apple or Apple products, right? So say they shut this site down. Another one -- or another dozen -- pops up to take its place. I'm sure MPAA lawyers will love playing a profitable game of Internet whack-a-mole but as an interested bystander, I think they're simply conducting an exercise in futility that doesn't reflect an understanding of the true nature of how information exists and how the Internet works....or how customer's needs/desires have changed with the times. Idiots, all. -rf From rforno at infowarrior.org Thu Jun 28 12:37:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Jun 2007 08:37:32 -0400 Subject: [Infowarrior] - ISP Deletes ALL User Multimedia Files Nightly Message-ID: ISP Deletes ALL User Multimedia Files Just in case some of them might be pirated.... http://www.dslreports.com/shownews/85260 Boing Boing notes that Australian DSL provider Exetel runs an automated script each night that deletes every and all multimedia file type (mp3, mpg, mpeg, avi, wma) from their users' personal webspaces in order to protect themselves from the copyright cops. According to the ISP's website: "Based on the MIPI's actions in March 2005 aganst another ISP (People Telecom) and the actual finding guilty of a second ISP in July 2005 (ComCen), Exetel now believe there is a need to take more direct and pro-active action to monitor content stored on publicly accessible servers under its control." Users can e-mail the ISP to opt out of this nightly housecleaning (after movies of grandma disappear?), provided they send an e-mail promising the ISP none of the content is copyrighted. Hopefully, AT&T's promised U.S. industry first piracy crackdown will be somewhat more sophisticated. From rforno at infowarrior.org Thu Jun 28 12:39:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Jun 2007 08:39:43 -0400 Subject: [Infowarrior] - Gonzales Pushes Again for Increased ISP Data Retention Message-ID: Gonzales Pushes Again for Increased ISP Data Retention By Luke O'Brien EmailJune 27, 2007 | 2:11:05 PMCategories: Crime, Identification, Privacy Agonzales U.S. Attorney General Alberto Gonzales last week reiterated his desire for increased ISP data retention to help combat crime. In a speech to the National Association of Attorneys General summer meeting in Atlanta, Gonzales gave his audience a graphic, stomach-turning look into the world of online pedophilia. He described a visit he made to to the Justice Department's child exploitation and obscenity section and some of the images and online videos he'd seen. "It changed me," Gonzales said. "It was an orientation I will never forget." Then he argued that not enough is being done to combat child exploitation and that law enforcement tools need to be bolstered, particularly by increasing data retention. "We have heard time and time again from state and local investigators and prosecutors that investigations of these crimes would be greatly aided by increased data retention by Internet Service Providers. That?s why I asked a working group within the Department to look at this issue, and we're working hard on ways to remedy this problem. I appreciate your support on the issue of data retention; I hope we can continue to make significant strides in investigative practices in the future." The full text of Gonzales speech is here (Warning: the pedophilia section is disturbing). http://blog.wired.com/27bstroke6/2007/06/gonzales-pushes.html From rforno at infowarrior.org Thu Jun 28 13:18:04 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Jun 2007 09:18:04 -0400 Subject: [Infowarrior] - VA's fear tactics, surveillance, and the hot-button issue In-Reply-To: <20070628124021.GA21716@gsp.org> Message-ID: I wonder how many false alarms or fake alarms are generated by folks here.......rf (c/o RSK) < - > If you see a father holding his child's hand, call the cops http://www.bloggernews.net/18108 I suppose the next logical move would be to report anyone scritching the dog's tummy for suspected bestiality. From rforno at infowarrior.org Thu Jun 28 13:45:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Jun 2007 09:45:37 -0400 Subject: [Infowarrior] - Rolling Stone: The Record Industry's Decline Message-ID: Back to The Record Industry's Decline The Record Industry's Decline Record sales are tanking, and there's no hope in sight: How it all went wrong Brian Hiatt and Evan Serpick Posted Jun 19, 2007 2:29 PM This is the first part of a two-part series on the decline of the record industry. Today we're including Brian Hiatt and Evan Serpick's report on where the music business went wrong, from the current issue of Rolling Stone, as well as an interactive graphic illustrating the industry's slide. Tomorrow, check back with RollingStone.com for interviews with industry leaders on the future of the music business. < - > http://www.rollingstone.com/news/story/15137581/the_record_industrys_decline From rforno at infowarrior.org Sat Jun 30 16:57:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Jun 2007 12:57:57 -0400 Subject: [Infowarrior] - More on....Silver Spring MD photo ban Message-ID: (c/o Anonymous) http://www.baltimoresun.com/news/local/bal-md.photo29jun29,0,4435771.story?c oll=bal-local-headlines >From the Baltimore Sun Photographs spur debate on First Amendment Residents defend rights in downtown Silver Spring By Kelly Brewington Sun reporter June 29, 2007 The snapshots seemed harmless, or so Chip Py thought. Strolling around downtown Silver Spring on a recent afternoon, the amateur photographer began shooting the architecture of one of the city's grandest revitalization efforts -- a popular mix of shops, restaurants and outdoor gathering spaces that has transformed the once sleepy downtown area. The photo shoot was cut short when a security guard ordered Py to stop, saying that photographs were not allowed on the private property. Py was upset. Wasn't downtown Silver Spring, a project built with millions in city and state funds, a public space? According to the developers and Montgomery County officials, the answer is no. Py has since organized a group of about 250 concerned residents and consulted an attorney with the American Civil Liberties Union to fight what he called an attack on his First Amendment rights. Last night, the development team, PFA Silver Spring LLC, issued a new policy, allowing photography in the area. And on July 4, it plans to display a "Welcome Photographers" banner on the site. But Py insists photography is not his sole concern. All types of free expression should be permitted, from political campaigning to handing out fliers and other literature, he said. "They are telling us it's OK to take pictures on the street, but we don't have any other First Amendment rights," he said. "They don't want to talk about public-private rights on a street. ... We are asking for some First Amendment considerations in our town." At noon on Independence Day, Py's group is planning a march on Ellsworth Drive, which runs through the development. A spokesman for the development team's spokesman said appropriate concessions were made. "I think we went an extra mile in giving the photographers what they asked for, but we're always open to discussion," said I.J. Hudson, an attorney with Garson Claxton, a Bethesda law firm that represents the developers. He described the complex as a "shopping mall without a roof." Enclosed shopping malls tend to have similar restrictions and are considered by many to be private property. "This is private property, and the way we look at it, we have the right to control private property," he said. Hudson said banning photographers was not a rule, but rather, emerged after the developers received a complaint from a mother who said a stranger had photographed her child. The new policy states that the complex welcomes photography and ideography, as long as tenants and others are not harassed or filmed against their wishes. Meanwhile, Montgomery County officials have stayed out of the debate for the most part, saying that since the county leases the property to the development team, the question of what is permissible should be the developers' decision. "But we're hoping for a reasonable accommodation," said county spokesman Patrick Lacefield. When the project was launched in 1999, the $1.2 billion public-private partnership, including $187 million in county and state funds, was considered the centerpiece of a downtown renaissance. Once a thriving commercial district, the area had struggled with high vacancy rates over the last two decades. Today, the area -- which includes several city blocks amid downtown's main streets of Georgia Avenue and Colesville Road -- features alfresco dining, high-end retail and an interactive fountain, creating a mall setting in the middle of an urban center. The heart of the development runs along Ellsworth Drive, a portion of which has been converted to pedestrian-only traffic. In a letter to the developers, Py articulated his concern with a question: "Where do the public's rights end and the private corporation's policies take over?" Legal experts say the distinction is not always clear. As private firms purchase more public land, the question of public access can become complex, said C. Thomas Dienes, Lyle T. Alverson professor of law at George Washington University. "This issue keeps coming up -- is this really public, or is it private? And what is the scope of the public forum?" he said. "There is no hard and fast rule. This is very much a work in progress." In the case of a shopping complex, however, the public is essentially being invited onto the private space, Dienes said. "To the extent that a private property owner opens the property up to public uses, it's almost like a waiver of private property rights," he said. Photographers should have been allowed on the property from the start, he said, as long as they were not interfering with activity around them. After all, how does one distinguish a photographer taking snapshots from anyone else shopping or dining in the area? he asked. But making a case for First Amendment rights could be tough, Dienes said. "Typically, a private property owner can't violate your First Amendment rights, only the government can," he said. But Carl Tobias, a professor of constitutional law at the University of Richmond, disagreed. "It seems too rigid to say that if it's public, it's subject to the First Amendment and if it's private it's not, especially when you invite the public," he said. "The courts have ruled both ways on this issue. It may be fact-specific, depending on the kind of speech, the exact area. A host of factors come into play." Tobias also asks: "Is a shopping mall really private? I want to use the word, quasi-public. That's what I would argue." From rforno at infowarrior.org Sat Jun 30 16:59:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Jun 2007 12:59:05 -0400 Subject: [Infowarrior] - Blackhat Con presentation withdrawn Message-ID: This story appeared on Network World at http://www.networkworld.com/news/2007/062707-black-hat.html Integrity of hardware-based computer security is challenged Withdrawn Black Hat paper hints at flaws in TPM security architecture By Tim Greene, Network World, 06/27/07 A presentation scheduled for Black Hat USA 2007 that promised to undermine chip-based desktop and laptop security has been suddenly withdrawn without explanation. The briefing, ?TPMkit: Breaking the Legend of [Trusted Computing Group?s Trusted Platform Module] and Vista (BitLocker),? promised to show how computer security based on trusted platform module (TPM) hardware could be circumvented ?We will be demonstrating how to break TPM,? Nitin and Vipin Kumar said in their abstract for their talk that was posted on the Black Hat Web site but was removed overnight Monday. ?The demonstration would include a few live demonstrations. For example, one demonstration will show how to login and access data on a Windows Vista System (which has TPM + BitLocker enabled),? the abstract said. BitLocker is disk-encryption technology in Microsoft?s Vista operating system that relies on TPM to store keys. In an e-mail, Vipin Kumar says, ?We have pulled back our presentation from ? Black Hat. So, we won't be presenting anything related to TPM/BitLocker in Black Hat. ? We would not like to say anything about the TPM/BitLocker for the time being.? He didn?t respond to inquiries about why the brothers withdrew. A spokesman for the conference was unable to offer more information. ?At their request, they are no longer presenting. That is all the info I have,? said the spokesman, Nico Sell, in an e-mail. The conference brings together technically savvy security experts from business, government and the hacking community to discuss the latest security technologies. Frequently, Black Hat briefings become controversial because they point out previously unknown weaknesses in products or technologies. The Kumars? promised exploit would be a chink in the armor of hardware-based system integrity that TPM is designed to ensure. TPM is also a key component of Trusted Computing Group?s architecture for network access control (NAC). TPM would create a unique value or hash of all the steps of a computer?s boot sequence that would represent the particular state of that machine, according to Steve Hanna, co-chair of TCG?s NAC effort. This initial hash of a known, trusted machine would be stored in the TPM and compared to the hash that is created when that machine last booted up. As part of TCG?s NAC plan, if the hash values don?t match, that indicates the machine has been altered and might no longer be secure, says Hanna. That check, known as remote attestation, would be part of decision making by a NAC policy server. In their description of their talk, the Kumars said they have developed a tool called TPMkit that bypasses remote attestation andwould let a computer that is not in a trusted state gain access anyway. At the Black Hat conference in Amsterdam earlier this year the Kumars demonstrated a bootkit that can insinuate itself into the Vista kernel without setting off Vista security alarms. At the time, the pair said they thought TPM was the only way to ensure that unsigned code is blocked from executing during the Vista boot sequence. The Kumars live in India and run a security consulting firm called NV Labs. All contents copyright 1995-2007 Network World, Inc. http://www.networkworld.com From rforno at infowarrior.org Sat Jun 30 20:58:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Jun 2007 16:58:32 -0400 Subject: [Infowarrior] - New NFL media policy = corporate suicide? Message-ID: Under NFL Rule, Media Web Sites Are Given Just 45 Seconds to Score http://tinyurl.com/2ulyvl < - > In a move designed to protect the Internet operations of its 32 teams, the pro football league has told news organizations that it will no longer permit them to carry unlimited online video clips of players, coaches or other officials, including video that the news organizations gather themselves on a team's premises. News organizations can post no more than 45 seconds per day of video shot at a team's facilities, including news conferences, interviews and practice-field reports. < - > The new policy covers everything shot by news organizations within team facilities. In addition to the 45-second-per-day limit, news organizations must also provide a link to NFL.com and a team's Web site for any team-related footage shown on those Web sites. The league also prohibits news outlets from selling advertising tied to video gathered at a team's facilities. < - > The league says it will allow unlimited Web video of "stand-up" reports at its facilities -- those in which a reporter speaks to the camera -- as long as no players, coaches or action is shown. Nor will it restrict reporters from producing still pictures or text stories while on team or league property.